Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.
Affected versions:
\
Fix:
\
Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.
\
For additional details see the [full advisory|https://confluence.atlassian.com/x/rSGSMQ].