Lucene search
9841cf68576eATLASSIAN:BAM-17736HistoryJul 07, 2016 - 4:22 a.m.
CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes
2016-07-0704:22:24
9841cf68576e
jira.atlassian.com
72
EPSS
0.043
Percentile
92.5%
Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.
Affected versions:
- All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.
\
Fix:
- Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
- Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.
\
Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.
\
For additional details see the [full advisory|https://confluence.atlassian.com/x/rSGSMQ].
Related
atlassian
atlassian
prion
prion
Code injection
2016-08-02 16:59:00
cve
cve
CVE-2016-5229
2016-08-02 16:59:02
nvd
nvd
CVE-2016-5229
2016-08-02 16:59:02
cvelist
cvelist
CVE-2016-5229
2016-08-02 16:00:00
openvas
openvas
Atlassian Bamboo RCE Vulnerability
2016-07-27 00:00:00
impervablog
impervablog
Deserialization Attacks Surge Motivated by Illegal Crypto-mining
2018-01-24 17:45:08