-
Bug
-
Resolution: Fixed
-
High
-
2.2, 5.8.2, 5.9.1, 5.9.3, 5.9.4
-
None
Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface.
Affected versions:
- All versions of Bamboo from 2.2 before 5.8.5 (the fixed version for 5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are affected by this vulnerability.
Fix:
- Bamboo 5.9.7 is available for download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 5.8.5 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
Acknowledgements:
We would like to credit Matthias Kaiser of Code White for reporting this issue to us.
For additional details see the full advisory.
- mentioned in
-
Page No Confluence page found with the given URL.
-
Page No Confluence page found with the given URL.
-
Page No Confluence page found with the given URL.
-
Page No Confluence page found with the given URL.
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
You only need to make sure that the version of Bamboo you have installed matches one of the fixed versions. You can find out which version you have by looking at the footer of the pages served from Bamboo.