RCE (Remote Code Execution) org.apache.activemq:activemq-broker Dependency in Bamboo Data Center

XMLWordPrintable

    • Type: Public Security Vulnerability
    • Resolution: Fixed
    • Priority: High
    • 12.1.8, 10.2.20
    • Affects Version/s: 10.2.0, 11.0.0, 10.2.1, 10.2.2, 10.2.3, 12.0.0, 10.2.4, 11.0.1, 10.2.5, 11.0.2, 11.0.3, 10.2.6, 10.2.7, 11.0.4, 12.1.0, 10.2.8, 11.0.5, 10.2.9, 11.0.7, 11.0.8, 10.2.10, 10.2.11, 12.0.1, 12.0.2, 10.2.12, 12.1.1, 10.2.13, 10.2.14, 10.2.15, 12.1.2, 12.1.3, 10.2.16, 10.2.18, 11.1.0, 12.1.6, 12.1.7, 10.2.19, 10.2.17
    • Component/s: None
    • 8.8
    • High
    • CVE-2026-41044
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Bamboo Data Center

      This High severity RCE (Remote Code Execution)  vulnerability was introduced in versions 10.2.0 and 12.1.0 of Bamboo Data Center.

      This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, allows an authenticated attacker to execute malicious code on the remote system, 
      which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.
      Atlassian recommends that Bamboo Data Center customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      • Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.20
      • Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.8

      See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center from the download center (https://www.atlassian.com/software/bamboo/download-archives).

       
      The National Vulnerability Database provides the following description for this vulnerability:
      Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

              Assignee:
              Unassigned
              Reporter:
              Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: