=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN347

_____________________________________________________________________

DATE                : 26/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Bamboo Data Center and Server
                            versions prior to 9.3.1, 9.2.4.

=====================================================================
https://jira.atlassian.com/browse/BAM-22479
_____________________________________________________________________

Third-Party Dependency in Bamboo Data Center and Server


Details

     Type:               Public Security Vulnerability
     Resolution:         Fixed
     Priority:           High
     Fix Version/s:      9.3.1, 9.2.4
     Affects Version/s:  9.0.2, 9.3.0, 9.1.1, 9.2.1, 9.1.2, 8.2.8,
                         9.0.3, 8.1.12, 9.2.3, 9.1.3, 9.0.4, 8.2.9
     Component/s:        None
     Labels:    advisory advisory-to-release dont-import security
     CVSS Score:         7.5
     CVSS Severity:      High
     CVE ID:             CVE-2023-28709
     Vulnerability Source: Atlassian (Internal)
     CVSSv3 Vector:      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
     Vulnerability Classes: Patch Management	
     Affected Product(s): Bamboo Data Center, Bamboo Server	


Description

This High severity Third-Party Dependency vulnerability was introduced
in version 8.1.12 of Bamboo Data Center and Server.

This Third-Party Dependency vulnerability, with CVSS Score(s) of 7.5,
and CVSS Vector(s) of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
allows an attacker to expose assets in your environment susceptible
to exploitation.

Atlassian recommends that Bamboo Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

     Bamboo Data Center and Server 9.3: Upgrade to a release greater
than or equal to 9.3.1
     Bamboo Data Center and Server 9.2: Upgrade to a release greater
than or equal to 9.2.4
     Bamboo Data Center and Server 8.2: Upgrade to a non-vulnerable
Bamboo 9.2 or 9.3 listed above
     Bamboo Data Center and Server 8.1: Upgrade to a non-vulnerable
Bamboo 9.2 or 9.3 listed above


See the release notes
(https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html).
You can download the latest version of Bamboo Data Center and Server
from the download center
(https://www.atlassian.com/software/bamboo/download-archives).

The National Vulnerability Database provides the following description
for this vulnerability: The fix for CVE-2023-24998 was incomplete
for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71
to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector
settings were used such that the maxParameterCount could be
reached using query string parameters and a request was
submitted that supplied exactly maxParameterCount parameters in
the query string, the limit for uploaded request parts could be
bypassed with the potential for a denial of service to occur.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================