-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
1.0.0
-
None
-
None
-
10
-
Critical
-
CVE-2023-46604
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
-
RCE (Remote Code Execution)
-
Bamboo Data Center, Bamboo Server
Summary of Vulnerability
Bamboo utilizes a third-party library ActiveMQ as part of its core services. Apache Active MQ has published a vulnerability (CVE-2023-46604) that allows Remote Code Execution (RCE). Because of the high severity of this Active MQ CVE, in the abundance of caution, we are publishing this advisory ahead of our regular schedule of advisories.
This critical severity RCE (Remote Code Execution) vulnerability known as CVE-2023-46604 affects all versions prior to the listed fix versions of Bamboo Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.
Affected Versions
| Product | Affected Versions |
|---|---|
| Bamboo Data Center Bamboo Server |
All versions are affected |
Fixed Versions
| Product | Fixed Versions |
|---|---|
| Bamboo Data Center Bamboo Server |
|
What You Need to Do
Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” table section of this ticket. For full descriptions of the above versions of Bamboo Data Center and Server, see the release notes. You can download the latest version of Bamboo Data Center and Server from the download center.
For additional details, please see full advisory or the FAQ.