Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-16439

CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

      Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface.

      Affected versions:

      • All versions of Bamboo from 2.2 before 5.8.5 (the fixed version for 5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are affected by this vulnerability.

      Fix:


      Acknowledgements:
      We would like to credit Matthias Kaiser of Code White for reporting this issue to us.


      For additional details see the full advisory.

            [BAM-16439] CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability

            You only need to make sure that the version of Bamboo you have installed matches one of the fixed versions. You can find out which version you have by looking at the footer of the pages served from Bamboo.

            Przemek Bruski added a comment - You only need to make sure that the version of Bamboo you have installed matches one of the fixed versions. You can find out which version you have by looking at the footer of the pages served from Bamboo.

            Right, I want to know of a way to confirm this on a site. You can speak to me offline if you like.

            Ryan Nelson added a comment - Right, I want to know of a way to confirm this on a site. You can speak to me offline if you like.

            codespelunker they would exploit the problem that this issue fixed.

            David Black added a comment - codespelunker they would exploit the problem that this issue fixed.

            How would a person without a valid account exploit bamboo?

            Ryan Nelson added a comment - How would a person without a valid account exploit bamboo?

            You don't need a valid account to exploit this.

            Przemek Bruski added a comment - You don't need a valid account to exploit this.

            What does "be able to access the Bamboo web interface" mean? Is the login screen sufficient or da I need a valid bamboo account?

            Michael Johann added a comment - What does "be able to access the Bamboo web interface" mean? Is the login screen sufficient or da I need a valid bamboo account?

              Unassigned Unassigned
              837ea15a6f79 Matthias Kaiser
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: