Atlassian Bamboo vulnerabilities

CVE-2024-21689 [HIGH] CWE-94 CVE-2024-21689: This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689  was introduced in versi This High severity RCE (Remote Code Execution) vulnerability CVE-2024-21689 was introduced in versions 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.6, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiali

CVE-2024-21687 [HIGH] CWE-98 CVE-2024-21687: This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3. This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files alread

CVE-2023-22516 [HIGH] CVE-2023-22516: This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0 This High severity RCE (Remote Code Execution) vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to int

CVE-2022-26136 [CRITICAL] CWE-180 CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass S A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released update

CVE-2022-26137 [HIGH] CWE-180 CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause ad A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a speci

CVE-2021-26067 [MEDIUM] CWE-200 CVE-2021-26067: Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The affected versions are before version 7.2.2.

CVE-2019-15005 [MEDIUM] CWE-862 CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivilege The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulne

CVE-2018-5224 [HIGH] CWE-20 CVE-2018-5224: Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Wi Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project

CVE-2017-18042 [HIGH] CWE-352 CVE-2017-18042: The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attac The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.

CVE-2017-18080 [HIGH] CWE-352 CVE-2017-18080: The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.

CVE-2017-18082 [MEDIUM] CWE-79 CVE-2017-18082: The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attacker The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.

CVE-2017-18040 [MEDIUM] CWE-79 CVE-2017-18040: The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote att The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

CVE-2017-18081 [MEDIUM] CWE-79 CVE-2017-18081: The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject a The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.

CVE-2017-18041 [MEDIUM] CWE-79 CVE-2017-18041: The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows r The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

CVE-2017-14590 [CRITICAL] CVE-2017-14590: Bamboo did not check that the name of a branch in a Mercurial repository contained argument paramete Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or co

CVE-2017-14589 [CRITICAL] CWE-20 CVE-2017-14589: It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of B

CVE-2017-9514 [HIGH] CWE-732 CVE-2017-9514: Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YA Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.

CVE-2015-6576 [HIGH] CWE-94 CVE-2015-6576: Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

CVE-2017-8907 [HIGH] CWE-863 CVE-2017-8907: Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a g

CVE-2016-5229 [CRITICAL] CWE-284 CVE-2016-5229: Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted des Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.