cvedb.io
CVE-2018-5224
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2018-03-29T13:29:00.350 · Last modified 2026-06-17T01:59:52.260

Summary

Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. All versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability.

Affected products

atlassian — bamboo

Does this affect you?

Add your gear to cvedb and we'll alert you only when atlassian ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.