CVE-2024-21689

HIGH

Atlassian Bamboo < 9.2.17 - Code Injection

Title source: rule

Description

This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center and Server 9.2: Upgrade to a release greater than or equal to 9.2.17 Bamboo Data Center and Server 9.6: Upgrade to a release greater than or equal to 9.6.5 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center and Server from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). This vulnerability was reported via our Bug Bounty program.

Exploits (1)

nomisec SUSPICIOUS 2 stars

by salvadornakamura · poc

https://github.com/salvadornakamura/CVE-2024-21689

View Code ZIP pw:eip

References (2)

[Issue Tracking, Vendor Advisory] https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667

[Issue Tracking, Vendor Advisory] https://jira.atlassian.com/browse/BAM-25858

Scores

CVSS v3 8.0

EPSS 0.4096

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

atlassian/bamboo 9.1.0 - 9.2.17

Published Aug 20, 2024

Tracked Since Feb 18, 2026