Arbitrary Code Execution Risk in Atlassian Bamboo due to XMPP API Vulnerability
CVE-2014-9757

9.8CRITICAL

Key Information:

Vendor

Atlassian
Status
Bamboo
Vendor
CVE Published:
8 February 2016

What is CVE-2014-9757?

The Ignite Realtime Smack XMPP API utilized in Atlassian Bamboo allows remote attackers to craft malicious XMPP messages that can lead to the execution of arbitrary Java code. This vulnerability, present in versions prior to 5.9.9 and certain 5.10.x builds, stems from a lack of proper authentication controls for serialized data. Attackers can exploit this flaw to manipulate the API's behavior, posing significant risks to the security of affected systems.

References

http://www.securityfocus.com/archive/1/537347/100/0/threaded
mailing-listx_refsource_BUGTRAQ
https://confluence.atlassian.com/bamboo/bamboo-security-a...
x_refsource_CONFIRM
https://jira.atlassian.com/browse/BAM-17099
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.