• Type: Bug
• Resolution: Fixed
• Priority: Highest
• Fix Version/s: 6.2.1, 6.0.5, 6.1.4
• Affects Version/s: None
• Component/s: None
• Labels:

  • advisory
  • advisory-released
  • cvss-critical
  • injection
  • rce
  • security

[BAM-18735] Remote Code Execution - CVE-2017-9514

Eric Franklin (Inactive) made changes - 13/Dec/2023 5:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 847667 ]

Eric Franklin (Inactive) made changes - 08/Dec/2023 8:28 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 846156 ]

Said made changes - 06/Dec/2019 3:42 AM

Labels

Original: advisory advisory-released cvss-critical security

New: advisory advisory-released cvss-critical injection rce security

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 2:05 AM

Workflow	Original: Bamboo Workflow 2016 v1 - Restricted [ 2446682 ]	New: JAC Bug Workflow v3 [ 3385569 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 24/Oct/2018 5:00 AM

Symptom Severity

Original: Critical [ 14430 ]

New: Severity 1 - Critical [ 15830 ]

David Black made changes - 23/Apr/2018 2:55 AM

Labels

Original: advisory advisory-released security

New: advisory advisory-released cvss-critical security

David Black made changes - 23/Apr/2018 2:55 AM

Labels

Original: advisory no-cvss-required security

New: advisory advisory-released security

alexmin (Inactive) made changes - 11/Oct/2017 4:55 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 10/Oct/2017 11:12 PM

Description

Original: Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo.   *Affected versions:*  * Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x ) and from before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability.   *Fix:*  * *Bamboo* 6.2.1 is available to download from [https://www.atlassian.com/software/bamboo/download].  * *Bamboo* 6.1.4 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].  * *Bamboo* 6.0.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].   For additional details see the [full advisory|].

New: Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo.   *Affected versions:*  * Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x ) and from before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability.   *Fix:*  * *Bamboo* 6.2.1 is available to download from [https://www.atlassian.com/software/bamboo/download].  * *Bamboo* 6.1.4 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].  * *Bamboo* 6.0.5 is available to download from [https://www.atlassian.com/software/bamboo/download-archives].   For additional details see the [full advisory|https://confluence.atlassian.com/x/EZ-1Nw].

Krystian Brazulewicz made changes - 10/Oct/2017 1:14 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Resolved [ 5 ]

Load more older events