This advisory announces a security vulnerability that we have found in all versions of Bamboo prior to 2.7.4 and fixed in 2.7.4 and later. You need to upgrade your existing Bamboo installations to fix this vulnerability. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerabilities listed in this advisory have been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
XSS Vulnerability in Bamboo User Management
Atlassian rates the severity level of these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank the severity as critical, high, moderate or low.
The table below describes the Bamboo versions and the specific functionality affected by the XSS vulnerability.
Affected Bamboo Versions
Bamboo User Management
Bamboo 1.0 - 2.7.3
We recommend that you upgrade your Bamboo installation to fix these vulnerabilities.
Alternatively, if you are not in a position to upgrade immediately and you judge it necessary, you can restrict access to trusted groups.
Bamboo 2.7.4 and later versions fix this issue. View the issue linked above for information on fix versions. For a full description of this release, see the Bamboo 2.7.4 Release Notes. You can download the latest version of Bamboo from the Bamboo download centre.
There are no patches available to fix these vulnerabilities. You must upgrade your Bamboo installation.