Bamboo After Deployment Trigger Plugin is impacted by CVE-2023-50164- vulnerbaility or not
Recently our application Bamboo is diagnosed with below vulnerability . Please let us know if the plugin “Bamboo After Deployment Trigger Plugin” is impacted by this vulnerability or not. Below are the details of plugin and vulnerability :
Bamboo SEN Number : SEN-34395126
Atlassian Bamboo version 9.2.4
Plugin Details:
Installed version: 0.10
Vendor: Atlassian Software Systems Pty Ltd
Support: Supported by vendor
App key: com.atlassianlab.bamboo.plugins.bamboo-after-deployment-trigger-plugin
Vulnerability details:
https://nvd.nist.gov/vuln/detail/CVE-2023-50164
Apache Struts announced and released stable versions 6.3.0.2 and 2.5.33 which patches a critical vulnerability. This vulnerability is a potential path traversal vulnerability in a file upload functionality and has been assigned the identifier CVE-2023-50164.
Affected Versions:
2.5.0-2.5.32 (patch version 2.5.33)
6.0.0-6.3.0 (patch version 6.3.0.2)
Please let us know if we are impacted by this vulnerability.
Regards,
Priyanka
Comments (2)
-
-
- changed status to closed
- Log in to comment
Hello, plugin uses struts from Bamboo application, if you have version of Bamboo with updated Struts dependency related to https://jira.atlassian.com/browse/BAM-25604 e.g. 9.2.8+, 9.3.6+ and 9.4.2+ then instance is safe