CVE-2016-5229
CRITICALAtlassian Bamboo < 5.11.4.1 and 5.12.x < 5.12.3.1 - Remote Code Execution via XStream Deserialization
Title source: llmDescription
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/539003/100/0/threaded
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/92057
Issue Tracking x_refsource_confirm
https://jira.atlassian.com/browse/BAM-17736
Vendor Advisory x_refsource_confirm
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
Scores
CVSS v3
9.8
EPSS
0.0603
EPSS Percentile
90.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
Status
published
Products (4)
atlassian/bamboo
5.12.0
atlassian/bamboo
5.12.1
atlassian/bamboo
5.12.2
atlassian/bamboo
< 5.11.3
Published
Aug 02, 2016
Tracked Since
Feb 18, 2026