Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

Affected versions:

• All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.

Fix:

• Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
• Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.

For additional details see the full advisory.