Deserialization Vulnerability in Atlassian Bamboo Affects Remote Code Execution
CVE-2016-5229

9.8CRITICAL

Key Information:

Vendor
Atlassian
Status
Bamboo
Vendor
CVE Published:
2 August 2016

Summary

Atlassian Bamboo versions prior to 5.11.4.1 and 5.12.x before 5.12.3.1 contain a critical flaw that allows remote attackers to execute arbitrary code. This vulnerability arises from improper restrictions on permitted deserialized classes, particularly in relation to XStream Serialization. Attackers can exploit this weakness to manipulate deserialized objects, potentially gaining control over the application and affecting the overall security of the system. It is crucial for users of affected versions to implement patches and updates to safeguard their assets.

References

http://www.securityfocus.com/archive/1/539003/100/0/threaded
mailing-listx_refsource_BUGTRAQ
http://packetstormsecurity.com/files/138053/Bamboo-Deseri...
x_refsource_MISC
http://www.securityfocus.com/bid/92057
vdb-entryx_refsource_BID

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.