-
Bug
-
Resolution: Fixed
-
High
-
2.2, 5.8.2, 5.9.1, 5.9.3, 5.9.4
-
None
Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. To exploit this issue, attackers need to be able to access the Bamboo web interface.
Affected versions:
- All versions of Bamboo from 2.2 before 5.8.5 (the fixed version for 5.8.x) and from 5.9.0 before 5.9.7 (the fixed version for 5.9.x) are affected by this vulnerability.
Fix:
- Bamboo 5.9.7 is available for download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 5.8.5 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
Acknowledgements:
We would like to credit Matthias Kaiser of Code White for reporting this issue to us.
For additional details see the full advisory.
- mentioned in
-
![[Atlassian Documentation] Page](/images/icons/generic_link_16.png "[Atlassian Documentation] Page")
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page
No Confluence page found with the given URL.
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[BAM-16439] CVE-2015-6576: Deserialisation Resulting in Remote Code Execution Vulnerability
Ryan Nelson
added a comment - Right, I want to know of a way to confirm this on a site. You can speak to me offline if you like.
Ryan Nelson
added a comment - Right, I want to know of a way to confirm this on a site. You can speak to me offline if you like. Ryan Nelson
added a comment - How would a person without a valid account exploit bamboo? 
Michael Johann
added a comment - What does "be able to access the Bamboo web interface" mean? Is the login screen sufficient or da I need a valid bamboo account?
Michael Johann
added a comment - What does "be able to access the Bamboo web interface" mean? Is the login screen sufficient or da I need a valid bamboo account? 
You only need to make sure that the version of Bamboo you have installed matches one of the fixed versions. You can find out which version you have by looking at the footer of the pages served from Bamboo.