Atlassian Bamboo Server and Data Center SQL Injection Vulnerability
Atlassian has released its Monthly Security Bulletin for March. This bulletin addresses 24 high severity vulnerabilities and one critical level vulnerability (CVE-2024-1597).
CVE-2024-1597 is a SQL injection vulnerability in Atlassian Bamboo Server and Data Center. This vulnerability has been rated as critical and received a CVSS score of 10. Successfully exploiting the vulnerability could allow an unauthenticated attacker to dump sensitive data or execute arbitrary code.
Atlassian Bamboo Server is a continuous integration (CI) and continuous deployment (CD) tool that automates the release management of software applications.
Atlassian Bamboo Data Center is a continuous deployment pipeline that assists software development teams with automated workflows, continuous deployment, and built-in disaster recovery.
Security Details:
This security vulnerability exists in the dependency 'org.postgresqlostgresql'. It is possible for an attacker with low complexity to exploit this vulnerability without authentication.
"SQL injection is possible when application code combines a parameter value with application code that cancels a parameter value with the non-default connection property preferQueryMode=simple."
Affected Versions:
From 9.5.0 to 9.5.1
From 9.4.0 to 9.4.3
From 9.3.0 to 9.3.6
From 9.2.0 to 9.2.11 (LTS)
From 9.1.0 to 9.1.3
From 9.0.0 to 9.0.4
From 8.2.0 to 8.2.9
Source : Atlassian Bamboo Sunucusu ve Veri Merkezi SQL Enjeksiyonu Güvenlik Açığı