Description
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537347/100/0/threaded
Patch, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/BAM-17101
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html
Scores
CVSS v3
9.8
EPSS
0.0119
EPSS Percentile
79.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (50)
atlassian/bamboo
2.3.1
atlassian/bamboo
2.4
atlassian/bamboo
2.4.1
atlassian/bamboo
2.4.2
atlassian/bamboo
2.4.3
atlassian/bamboo
2.5
atlassian/bamboo
2.5.1
atlassian/bamboo
2.5.2
atlassian/bamboo
2.5.3
atlassian/bamboo
2.5.5
... and 40 more
Published
Feb 08, 2016
Tracked Since
Feb 18, 2026