Bamboo Security Advisory 2009-03-09
In this advisory:
セキュリティの脆弱性
XSS vulnerabilities on the User Profile page
深刻度
Atlassian rates this vulnerability as HIGH, according to the scale published in the Bamboo Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security flaw which may affect Bamboo instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in Bamboo's 'User Profile' page. This potentially allows a malicious user (hacker) to hack the URL of controls on the page (e.g. User Profile link) to insert special JavaScript. A hacker could present the hacked URL to users (e.g. disguised in an email). If any users clicked the URL, the special JavaScript would be executed in the user's session.
- ハッカーは、この欠陥を利用して他のユーザーのセッション cookie やその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
- The hacker could also gain control over the underlying system, based on the privileges of the user whose session cookie has been stolen.
- The hacker's text and script might be displayed to other people on the User Profile page. This is potentially damaging to your company's reputation.
Atlassian recommends that you upgrade to Bamboo 2.2 to fix the vulnerabilities described below.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your Bamboo system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict Bamboo access to trusted groups only.
Vulnerability
The User Profile page in Bamboo is affected. The URLs of links on this page are not HTML-escaped.
修正
The fix is to HTML-encode the URLs of all links on the User Profile page, so that it cannot be used to run special scripts.
This issue has been fixed in Bamboo 2.2 only. There are no patches available for previous versions of Bamboo, for this fix.
XSS vulnerabilities when adding Requirements for a Build
深刻度
Atlassian rates this vulnerability as HIGH, according to the scale published in the Bamboo Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security flaw which may affect Bamboo instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability when adding requirements for a build. This potentially allows a malicious user (hacker) to insert special JavaScript in the key of a requirement when adding it to a build. If any users clicked the requirement, the special JavaScript would be executed in the user's session.
- ハッカーは、この欠陥を利用して他のユーザーのセッション cookie やその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
- The hacker could also gain control over the underlying system, based on the privileges of the user whose session cookie has been stolen.
- The hacker's text and script might be displayed to other people on the User Profile page. This is potentially damaging to your company's reputation.
Atlassian recommends that you upgrade to Bamboo 2.2 to fix the vulnerabilities described below.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your Bamboo system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict Bamboo access to trusted groups only.
Vulnerability
The requirements for a build are affected. The key is not HTML-escaped. This affects all versions from 2.0 onwards.
修正
The fix is to HTML-encode the keys of requirements for builds, so that they cannot be used to run special scripts.
This issue has been fixed in Bamboo 2.2 only. There are no patches available for previous versions of Bamboo, for this fix.
XSS vulnerabilities in the user's full name
深刻度
Atlassian rates this vulnerability as HIGH, according to the scale published in the Bamboo Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security flaw which may affect Bamboo instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in the user's full name. This potentially allows a malicious user (hacker) to create a new user and hack the user's full name to insert special JavaScript. The user's full name is presented in a number of places, including author statistics page, build result comments, build changes and commit notifications. If any users clicked the user name, the special JavaScript would be executed in the user's session.
- ハッカーは、この欠陥を利用して他のユーザーのセッション cookie やその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
- The hacker could also gain control over the underlying system, based on the privileges of the user whose session cookie has been stolen.
- The hacker's text and script might be displayed to other people on the User Profile page. This is potentially damaging to your company's reputation.
Atlassian recommends that you upgrade to Bamboo 2.2 to fix the vulnerabilities described below.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your Bamboo system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict Bamboo access to trusted groups only.
Vulnerability
The author statistics page, build result comments, build changes and commit notifications are affected. The user name is not HTML-escaped.
修正
The fix is to HTML-encode the user's full name on these pages/notifications, so that it cannot be used to run special scripts.
This issue has been fixed in Bamboo 2.2 only. There are no patches available for previous versions of Bamboo, for this fix.
XSS vulnerabilities in build logs
深刻度
Atlassian rates this vulnerability as HIGH, according to the scale published in the Bamboo Security documentation. This scale allows us to rank a vulnerability as critical, high, moderate or low.
Risk Assessment
We have identified and fixed a security flaw which may affect Bamboo instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in the Bamboo build logs. This potentially allows a malicious user (hacker) to insert special JavaScript into a build log. If a user opened the hacked build log, the special JavaScript would be executed in the user's session.
- ハッカーは、この欠陥を利用して他のユーザーのセッション cookie やその他の資格情報を盗み、その資格情報を攻撃者自身の Web サーバーに送り返す可能性があります。
- The hacker could also gain control over the underlying system, based on the privileges of the user whose session cookie has been stolen.
- The hacker's text and script might be displayed to other people on the User Profile page. This is potentially damaging to your company's reputation.
Atlassian recommends that you upgrade to Bamboo 2.2 to fix the vulnerabilities described below.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web.
Risk Mitigation
If you judge it necessary, you can disable public access (i.e. anonymous access and public signup) to your Bamboo system until you have applied the necessary patch or upgrade. For even tighter control, you could restrict Bamboo access to trusted groups only.
Vulnerability
The Bamboo build logs are affected. The log lines are not HTML-escaped.
修正
The fix is to HTML-encode the log entries for the build logs, so that they cannot be used to run special scripts.
This issue has been fixed in Bamboo 2.2 only. There are no patches available for previous versions of Bamboo, for this fix.
Please let us know what you think of the format of this security advisory and the information we have provided.