CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14590 – Atlassian Bamboo Code Execution / Argument Injection
https://notcve.org/view.php?id=CVE-2017-14590
13 Dec 2017 — Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable v... • http://www.securityfocus.com/bid/102193 •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-9514 – Bamboo 6.x Remote Code Execution
https://notcve.org/view.php?id=CVE-2017-9514
12 Oct 2017 — Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 tenía un endpoint REST que analizaba sintácticamente un archivo ... • http://www.securityfocus.com/bid/101269 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-8907 – Bamboo 5.x / 6.x Incorrect Permission Check
https://notcve.org/view.php?id=CVE-2017-8907
14 Jun 2017 — Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code... • http://www.securityfocus.com/bid/99090 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 7%CPEs: 4EXPL: 0CVE-2016-5229 – Bamboo Deserialization Issue
https://notcve.org/view.php?id=CVE-2016-5229
26 Jul 2016 — Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con XStream Serialization. This adviso... • http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 90EXPL: 0CVE-2014-9757 – Bamboo Deserialization / Missing Authentication Checks
https://notcve.org/view.php?id=CVE-2014-9757
22 Jan 2016 — The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message. La API Ignite Realtime Smack XMPP, como se utiliza en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0, permite a servidores XMPP remotos configurados ejecutar código Java arbitrario a través de datos serializados en un mensaje XMPP. Bamboo suffers from dese... • http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 91EXPL: 0CVE-2015-8360 – Bamboo Deserialization / Missing Authentication Checks
https://notcve.org/view.php?id=CVE-2015-8360
22 Jan 2016 — An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port. Un recurso no especificado en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 permite a atacantes remotos ejecutar código Java arbitrario a través de datos serializados al puerto JMS. Bamboo suffers from deserialization and missing authentication check vulnerabilities. This advisory discloses m... • http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 90EXPL: 0CVE-2015-8361 – Bamboo Deserialization / Missing Authentication Checks
https://notcve.org/view.php?id=CVE-2015-8361
22 Jan 2016 — Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port. Múltiples servicios no especificados en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 no requieren autenticación, lo que permite a atacantes remotos obtener información sensible, modificar ajustes o ad... • http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 2%CPEs: 2EXPL: 2CVE-2015-6576 – Atlassian Bamboo Java Deserialization Code Execution
https://notcve.org/view.php?id=CVE-2015-6576
23 Oct 2015 — Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. Bamboo 2 2 en versiones anteriores a la 5 8 5 y en versiones 5 9 x anteriores a la 5 9 7 permite que los atacantes remotos con acceso a la interfaz web de Bamboo ejecuten código Java mediante un recurso no especificado. Bamboo had a resource that deserialised arbitrary user input without restriction. Attackers can use this vulnerability to... • https://packetstorm.news/files/id/134490 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 68%CPEs: 17EXPL: 3CVE-2012-2926 – Atlassian Tempo 6.4.3 / JIRA 5.0.0 / Gliffy 3.7.0 - XML Parsing Denial of Service
https://notcve.org/view.php?id=CVE-2012-2926
22 May 2012 — Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3 before 2.3.7, and 2.4 before 2.4.1 do not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vecto... • https://packetstorm.news/files/id/181107 •