Skip to main content

Bamboo CVE-2021-26067

MEDIUM
Information Exposure (CWE-200)
2021-01-28 security@atlassian.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jan 28, 2021 - 02:15 nvd
MEDIUM 5.3

DescriptionNVD

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.

AnalysisAI

Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2. Affected products include: Atlassian Bamboo. Version information: version 7.2.2..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Bamboo

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2016-5229 CRITICAL
9.8 Aug 02

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, w

CVE-2015-8360 CRITICAL
9.8 Feb 08

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arb

CVE-2014-9757 CRITICAL
9.8 Feb 08

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote con

CVE-2022-26136 CRITICAL
9.8 Jul 20

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used

CVE-2017-14589 CRITICAL
9.6 Dec 13

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. Rated critic

CVE-2015-6576 HIGH
8.8 Oct 03

Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execut

CVE-2015-8361 CRITICAL
9.1 Feb 08

Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, w

CVE-2017-14590 CRITICAL
9.1 Dec 13

Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. Rated critical s

CVE-2017-8907 HIGH
8.8 Jun 14

Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project

CVE-2017-9514 HIGH
8.8 Oct 12

Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not

CVE-2023-22516 HIGH
8.8 Nov 21

This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.

Share

CVE-2021-26067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy