Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to do one or more of the following:

• create a repository in Bamboo
• edit an existing plan in Bamboo that has a non-linked Mercurial repository
• create or edit a plan in Bamboo when there is at least one linked Mercurial repository that the attacker has permission to use
• commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled
  can execute code of their choice on systems that run a vulnerable version of Bamboo Server.

Affected versions:

• Versions of Bamboo starting with 2.7.0 before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Fix:

• Bamboo version 6.2.5 is available to download from https://www.atlassian.com/software/bamboo/download.
• Bamboo version 6.1.6 is available to download from https://www.atlassian.com/software/bamboo/download-archives.

Acknowledgements
Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

For additional details see the full advisory.