CVE-2015-8361
CRITICALAtlassian Bamboo <5.9.9 & 5.10.x - Info Disclosure
Title source: llmDescription
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/537347/100/0/threaded
Patch, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/BAM-17102
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html
Scores
CVSS v3
9.1
EPSS
0.0052
EPSS Percentile
67.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (50)
atlassian/bamboo
2.4
atlassian/bamboo
2.4.1
atlassian/bamboo
2.4.2
atlassian/bamboo
2.4.3
atlassian/bamboo
2.5
atlassian/bamboo
2.5.1
atlassian/bamboo
2.5.2
atlassian/bamboo
2.5.3
atlassian/bamboo
2.5.5
atlassian/bamboo
2.6
... and 40 more
Published
Feb 08, 2016
Tracked Since
Feb 18, 2026