{"resources":[{"cve_id":"CVE-2023-28709","cve_summary":"org.apache.tomcat:tomcat-catalina Vulnerability in Bamboo Data Center and Server","cve_details":"This High severity Third-Party Dependency vulnerability was introduced in versions 9.2.2, 9.2.3 and 9.3.0 of Bamboo Data Center and Server.\nThis Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n* Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.4\n* Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1\n \nSee the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).\nThe National Vulnerability Database provides the following description for this vulnerability: The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.","cve_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cve_severity":7.5,"cve_publish_date":"2023-10-17T17:01:46.000+0000","atl_tracking_url":"https://jira.atlassian.com/browse/BAM-22601","advisory_url":"","affected_products":["Bamboo Data Center","Bamboo Server"]},{"cve_id":"CVE-2023-28709","cve_summary":"Third-Party Dependency in Bamboo Data Center and Server","cve_details":"This High severity Third-Party Dependency vulnerability was introduced in version 8.1.12 of Bamboo Data Center and Server.\nThis Third-Party Dependency vulnerability, with CVSS Score(s) of 7.5, and CVSS Vector(s) of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an attacker to expose assets in your environment susceptible to exploitation.\nAtlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n* Bamboo Data Center and Server 9.3: Upgrade to a release greater than or equal to 9.3.1\n* Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.4\n* Bamboo Data Center and Server 8.2: Upgrade to a non-vulnerable Bamboo 9.2 or 9.3 listed above\n* Bamboo Data Center and Server 8.1: Upgrade to a non-vulnerable Bamboo 9.2 or 9.3 listed above\n \nSee the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives).\nThe National Vulnerability Database provides the following description for this vulnerability: The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.","cve_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","cve_severity":7.5,"cve_publish_date":"2023-09-19T18:08:24.000+0000","atl_tracking_url":"https://jira.atlassian.com/browse/BAM-22479","advisory_url":"","affected_products":["Bamboo Data Center","Bamboo Server"]}],"resources_count":2,"total_count":2}