CVE-2025-68493 impact on Bamboo

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • 9.6.24, 10.2.16
    • Affects Version/s: 9.6.0, 10.0.0, 10.1.0, 10.2.0
    • Component/s: Security
    • 1
    • Severity 2 - Major
    • 0

      Issue Summary

      Impact of CVE-2025-68493 in Bamboo 

      https://cwiki.apache.org/confluence/display/WW/S2-069

      Parsing of XML configuration in XWork component does not validate XML in proper way and it's vulnerable to XML external entity (XXE) injection.

      Steps to Reproduce

       

      Impact of vulnerability Disclosure of Data, Denial of Service, Server Side Request Forgery

      Bamboo might be impacted by this vulnerability if customer use external plugins from Marketplace or custom external plugins

      Expected Results

      Struts version below are vulerable-

      • Struts 2.0.0 through Struts 2.3.37 (EOL)
      • Struts 2.5.0 through Struts 2.5.33 (EOL)
      • Struts 6.0.0 through Struts 6.1.0

      Actual Results

      Upgrade to Struts 6.1.1 at least.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Assignee:
              Alexey Chystoprudov
              Reporter:
              Sushant Verma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: