An HTTP POST made to/rest/scriptrunner/latest/remote-eventswith a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.
This security vulnerability has been fixed in ScriptRunner 5.4.19.1; it is recommended all customers upgrade to 5.4.19.1+ where possible.
If no firewall is enabled, users must update ScriptRunner to include this security patch.
If using a proxy server in front of the application, blocking HTTP requests beginning withrest/scriptrunner/latest/remote-events/*mitigates the vulnerability.
5.4.19
New Features
New user interface
The user interface has been rewritten to provide a more user friendly experience. The appearance is very similar to the existing UI.
Customize the UI with Script Fragments
Script Fragmentsare here for ScriptRunner for Bamboo! Add your own customized elements to the Bamboo user interface. This can range from simple buttons and dialogs to integrations, such as adding astatic analysis tabto your build results.
You now have the ability to search for scripts contained within your configured script roots inside ScriptRunner. Wherever you used to be able to paste the path of a script, you can now search for the script directly in the file input. Simply start typing the name of your script and the search will present suggestions that you can select!
[SRBAM-66] - As an Administrator, I need to embed custom web sections in Bamboo in order to get relevant content from outside Bamboo visible to my developers
[SRBAM-67] - As an Administrator, I need to embed my own web items so I can help users perform actions relevant to them not available to Bamboo
[SRBAM-70] - Specific Use Case: Add a tab to the build that displays information about the build (such as static analysis results)
Bug Fixes
[SRBAM-46] - Script Jobs User Picker does not do user search when editing an existing job
[SRBAM-71] - Searching for web fragments is hard to read
[SRBAM-85] - Bamboo restart does not startup the plugin correctly
[SRBAM-110] - Can not add new tasks/conditions through the UI for later Bamboo versions