Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to do one or more of the following:
can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system.
Affected versions:
Fix:
Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.
For additional details see the [full advisory|https://confluence.atlassian.com/x/PS9sO].