{ "document" : { "aggregate_severity" : { "text" : "hoch" }, "category" : "csaf_base", "csaf_version" : "2.0", "distribution" : { "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "de-DE", "notes" : [ { "category" : "legal_disclaimer", "text" : "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen." }, { "category" : "description", "text" : "Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.\r\nConfluence ist eine kommerzielle Wiki-Software.", "title" : "Produktbeschreibung" }, { "category" : "summary", "text" : "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Bamboo und Atlassian Confluence ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und Cross-Site-Scripting-Angriffe durchzuführen.", "title" : "Angriff" }, { "category" : "general", "text" : "- Sonstiges\n- UNIX\n- Windows", "title" : "Betroffene Betriebssysteme" } ], "publisher" : { "category" : "other", "contact_details" : "csaf-provider@cert-bund.de", "name" : "Bundesamt für Sicherheit in der Informationstechnik", "namespace" : "https://www.bsi.bund.de" }, "references" : [ { "category" : "self", "summary" : "WID-SEC-W-2026-0438 - CSAF Version", "url" : "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0438.json" }, { "category" : "self", "summary" : "WID-SEC-2026-0438 - Portal Version", "url" : "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0438" }, { "category" : "external", "summary" : "Atlassian Security Bulletin vom 2026-02-17", "url" : "https://confluence.atlassian.com/security/security-bulletin-february-17-2026-1722256046.html" }, { "category" : "external", "summary" : "PoC CVE-2020-28469 vom 2026-02-17", "url" : "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905" }, { "category" : "external", "summary" : "PoC CVE-2022-25883 vom 2026-02-17", "url" : "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" }, { "category" : "external", "summary" : "PoC CVE-2022-25927 vom 2026-02-17", "url" : "https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450" }, { "category" : "external", "summary" : "PoC CVE-2025-66021 vom 2026-02-17", "url" : "https://github.com/OWASP/java-html-sanitizer/security/advisories/GHSA-g9gq-3pfx-2gw2" }, { "category" : "external", "summary" : "Atlassian Security Bulletin - March 17 2026", "url" : "https://confluence.atlassian.com/security/security-bulletin-march-17-2026-1721271371.html" } ], "source_lang" : "en-US", "title" : "Atlassian Bamboo und Confluence (Data Center und Server): Mehrere Schwachstellen", "tracking" : { "current_release_date" : "2026-03-17T23:00:00.000+00:00", "generator" : { "date" : "2026-03-18T12:13:12.877+00:00", "engine" : { "name" : "BSI-WID", "version" : "1.5.0" } }, "id" : "WID-SEC-W-2026-0438", "initial_release_date" : "2026-02-17T23:00:00.000+00:00", "revision_history" : [ { "date" : "2026-02-17T23:00:00.000+00:00", "number" : "1", "summary" : "Initiale Fassung" }, { "date" : "2026-03-17T23:00:00.000+00:00", "number" : "2", "summary" : "Neue Updates aufgenommen" } ], "status" : "final", "version" : "2" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_version_range", "name" : "Data Center and Server <12.1.2 LTS", "product" : { "name" : "Atlassian Bamboo Data Center and Server <12.1.2 LTS", "product_id" : "T050961" } }, { "category" : "product_version", "name" : "Data Center and Server 12.1.2 LTS", "product" : { "name" : "Atlassian Bamboo Data Center and Server 12.1.2 LTS", "product_id" : "T050961-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:bamboo:data_center_and_server__12.1.2_lts" } } }, { "category" : "product_version_range", "name" : "Data Center and Server <10.2.14", "product" : { "name" : "Atlassian Bamboo Data Center and Server <10.2.14", "product_id" : "T050962" } }, { "category" : "product_version", "name" : "Data Center and Server 10.2.14", "product" : { "name" : "Atlassian Bamboo Data Center and Server 10.2.14", "product_id" : "T050962-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:bamboo:data_center_and_server__10.2.14" } } } ], "category" : "product_name", "name" : "Bamboo" }, { "branches" : [ { "category" : "product_version_range", "name" : "<10.1.5", "product" : { "name" : "Atlassian Bitbucket <10.1.5", "product_id" : "T051833" } }, { "category" : "product_version", "name" : "10.1.5", "product" : { "name" : "Atlassian Bitbucket 10.1.5", "product_id" : "T051833-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:bitbucket:10.1.5" } } }, { "category" : "product_version_range", "name" : "<10.2.0 to 10.2.1", "product" : { "name" : "Atlassian Bitbucket <10.2.0 to 10.2.1", "product_id" : "T051834" } }, { "category" : "product_version", "name" : "10.2.0 to 10.2.1", "product" : { "name" : "Atlassian Bitbucket 10.2.0 to 10.2.1", "product_id" : "T051834-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:bitbucket:10.2.0_to_10.2.1" } } }, { "category" : "product_version_range", "name" : "<9.4.17 to 9.4.18", "product" : { "name" : "Atlassian Bitbucket <9.4.17 to 9.4.18", "product_id" : "T051835" } }, { "category" : "product_version", "name" : "9.4.17 to 9.4.18", "product" : { "name" : "Atlassian Bitbucket 9.4.17 to 9.4.18", "product_id" : "T051835-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:bitbucket:9.4.17_to_9.4.18" } } } ], "category" : "product_name", "name" : "Bitbucket" }, { "branches" : [ { "category" : "product_version_range", "name" : "Data Center and Server <10.2.6 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server <10.2.6 LTS", "product_id" : "T050963" } }, { "category" : "product_version", "name" : "Data Center and Server 10.2.6 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server 10.2.6 LTS", "product_id" : "T050963-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:confluence:data_center_and_server__10.2.6_lts" } } }, { "category" : "product_version_range", "name" : "Data Center and Server <10.2.3 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server <10.2.3 LTS", "product_id" : "T050964" } }, { "category" : "product_version", "name" : "Data Center and Server 10.2.3 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server 10.2.3 LTS", "product_id" : "T050964-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:confluence:data_center_and_server__10.2.3_lts" } } }, { "category" : "product_version_range", "name" : "Data Center and Server <9.2.15 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server <9.2.15 LTS", "product_id" : "T050965" } }, { "category" : "product_version", "name" : "Data Center and Server 9.2.15 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server 9.2.15 LTS", "product_id" : "T050965-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:confluence:data_center_and_server__9.2.15__lts" } } }, { "category" : "product_version_range", "name" : "Data Center and Server <9.2.14 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server <9.2.14 LTS", "product_id" : "T050966" } }, { "category" : "product_version", "name" : "Data Center and Server 9.2.14 LTS", "product" : { "name" : "Atlassian Confluence Data Center and Server 9.2.14 LTS", "product_id" : "T050966-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:atlassian:confluence:data_center_and_server__9.2.14__lts" } } } ], "category" : "product_name", "name" : "Confluence" } ], "category" : "vendor", "name" : "Atlassian" } ] }, "vulnerabilities" : [ { "cve" : "CVE-2020-28469", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2020-28469" }, { "cve" : "CVE-2022-25883", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2022-25883" }, { "cve" : "CVE-2022-25927", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2022-25927" }, { "cve" : "CVE-2025-41249", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2025-41249" }, { "cve" : "CVE-2025-48976", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2025-48976" }, { "cve" : "CVE-2025-59343", "product_status" : { "known_affected" : [ "T050965", "T051835", "T050964", "T051833", "T050966", "T051834", "T050963" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2025-59343" }, { "cve" : "CVE-2025-66021", "product_status" : { "known_affected" : [ "T051835", "T051833", "T051834", "T050961", "T050962" ] }, "release_date" : "2026-02-17T23:00:00.000+00:00", "title" : "CVE-2025-66021" } ] }