Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-17736

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

    XMLWordPrintable

    Details

      Description

      Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

      Affected versions:

      • All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.


      Fix:


      Acknowledgements:
      We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.


      For additional details see the full advisory.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              bechler1138221210 Moritz Bechler
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: