CVE-2015-6576

HIGH

Atlassian Bamboo < 5.8.5 - Code Injection

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6576. PoCs published by CallMeJonas.

AI-analyzed exploit summary This PoC exploits a deserialization vulnerability in Atlassian Bamboo (CVE-2015-6576) by sending a malicious serialized payload to the agent server endpoint. It retrieves a fingerprint from the target and uses it to trigger deserialization, potentially leading to remote code execution.

Description

Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

Exploits (1)

nomisec WORKING POC 2 stars
by CallMeJonas · poc
https://github.com/CallMeJonas/CVE-2015-6576

This PoC exploits a deserialization vulnerability in Atlassian Bamboo (CVE-2015-6576) by sending a malicious serialized payload to the agent server endpoint. It retrieves a fingerprint from the target and uses it to trigger deserialization, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Bamboo (versions affected by CVE-2015-6576)
No auth needed
Prerequisites: Network access to the Bamboo server · ysoserial-generated payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/536747/100/0/threaded
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/x/Hw7RLg
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/BAM-16439
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html

Scores

CVSS v3 8.8
EPSS 0.0227
EPSS Percentile 84.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
atlassian/bamboo 2.2 - 5.8.5
Published Oct 03, 2017
Tracked Since Feb 18, 2026