Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-17736

CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

XMLWordPrintable

      Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

      Affected versions:

      • All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.


      Fix:


      Acknowledgements:
      We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.


      For additional details see the full advisory.

              Unassigned Unassigned
              b00c6cff-1b4f-4186-9618-b4fb6e64696c Deleted Account (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: