Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.
- All versions of Bamboo from 2.3.1 before 126.96.36.199 (the fixed version for 5.11.x) and from 5.12.0 before 188.8.131.52 (the fixed version for 5.12.x) are affected by this vulnerability.
- Bamboo 184.108.40.206 is available for download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 220.127.116.11 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.
For additional details see the full advisory.