Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 5.12.3, 5.13.0.1, 5.11.4, 5.12.3.1, 5.11.4.1
Affects Version/s: 2.3.1
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

Affected versions:

All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.

Fix:

Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.

For additional details see the full advisory.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Moritz Bechler

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Jul/2016 4:22 AM

Updated:: 13/Nov/2019 11:56 PM

Resolved:: 26/Aug/2016 2:36 PM