CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14590 – Atlassian Bamboo Code Execution / Argument Injection
https://notcve.org/view.php?id=CVE-2017-14590
13 Dec 2017 — Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least one linked Mercurial repository that the attacker has permission to use, or commit to a Mercurial repository used by a Bamboo plan which has branch detection enabled can execute code of their choice on systems that run a vulnerable v... • http://www.securityfocus.com/bid/102193 •
CVSS: 8.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-8907 – Bamboo 5.x / 6.x Incorrect Permission Check
https://notcve.org/view.php?id=CVE-2017-8907
14 Jun 2017 — Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code... • http://www.securityfocus.com/bid/99090 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 5%CPEs: 4EXPL: 0CVE-2016-5229 – Bamboo Deserialization Issue
https://notcve.org/view.php?id=CVE-2016-5229
26 Jul 2016 — Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con XStream Serialization. This adviso... • http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html • CWE-284: Improper Access Control •