Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo.
- Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x ) and from before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability.
- Bamboo 6.2.1 is available to download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 6.1.4 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
- Bamboo 6.0.5 is available to download from https://www.atlassian.com/software/bamboo/download-archives.
For additional details see the full advisory.