Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta)

In this advisory:

Bamboo 2.0 Beta Security Considerations

Risk Assessment

The Bamboo 2.0 Beta does not include the security features that will be present in the final released product. Please note the following security implications when enabling Bamboo's remote agent functionality:

  • No encryption of data passed between server and agent — this includes data such as:
    • login credentials for version control repositories
    • build logs
    • build artifacts
  • No authentication of the agent or server — this could result in unauthorised actions being taken on your system, such as:
    • Unauthorised parties installing new remote agents — version control repository login credentials could be stolen.
    • Unauthorised parties masquerading as a Bamboo server — the unauthorised server could pass malicious code to the agent to run.

We strongly recommend that you do not enable remote agent installation on any Bamboo instance accessible from a public or untrusted network. Creating remote agents is disabled by default.
These are limitations of the beta release only and will be addressed before the final released product.

Vulnerability

An unauthorised party could steal sensitive data passing between the Bamboo server and agents or run malicious code on your agents, as described in the 'Risk Assessment' section.

Fix

These are limitations of the beta release only and will be addressed before the final released product.

Last modified on May 7, 2012

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.