CVE-2017-9514

Summary

Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.

Affected Software

VendorProductVersion RangeStatus
AtlassianBamboofrom 6.0.0 before 6.0.5affected
AtlassianBamboofrom 6.1.0 before 6.1.4affected
AtlassianBamboofrom 6.2.0 before 6.2.1affected

Weaknesses

  • Remote Code Execution

ADP Enrichment

CVE Program Container

Additional References

References