Is After Deployment Trigger for Bamboo plugin for Bamboo affected by Spring4Shell vulnerability (CVE-2022-22965)
Issue #16
resolved
Hi,
We are using After Deployment Trigger for Bamboo plugin (v0.9) for Bamboo (v8.0.4) but we would need your confirmation whether this plugin has got any impact due to security vulnerability - https://github.com/advisories/GHSA-36p3-wjmg-h94x (Spring4Shell)?
Regards
Comments (3)
-
-
reporter Hi,
Thanks for confirming @Alexey
Please feel free to close the request.
Regards,
Shafeeq
-
- changed status to resolved
answered
- Log in to comment
Hi @Shafeequr Rehman Mohammed , plugin itself is not affected by Spring4Shell. As it was announced https://confluence.atlassian.com/kb/faq-for-cve-2022-22965-1115149136.html all version of Bamboo which use Java 11 are affected. Right now the only known exploit requires Bamboo system admin user permission to be used which makes impact more narrow, but doesn’t guarantee that issue can’t be exploited through another plugin.