CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2017-9514
https://notcve.org/view.php?id=CVE-2017-9514
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo. Bamboo en versiones anteriores a la 6.0.5, 6.1.x anteriores a la 6.1.4 y 6.2.x anteriores a la 6.2.1 tenía un endpoint REST que analizaba sintácticamente un archivo YAML y no restringía suficientemente qué clases se podían cargar. Un atacante que pueda iniciar sesión en Bamboo como un usuario sería capaz de explotar esta vulnerabilidad para ejecutar código Java de su elección en sistemas que tienen versiones vulnerables de Bamboo. • http://www.securityfocus.com/bid/101269 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-10-11-938843921.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 53EXPL: 0CVE-2017-8907
https://notcve.org/view.php?id=CVE-2017-8907
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects is able to use this vulnerability, provided there is an existing plan with a green build, to create a deployment project and execute arbitrary code on an available Bamboo Agent. By default a local agent is enabled; this means that code execution can occur on the system hosting Bamboo as the user running Bamboo. Atlassian Bamboo, en versiones 5.x anteriores a la 5.15.7 y versiones 6.x anteriores a la 6.0.1, no comprobó correctamente si un usuario que crea un proyecto de despliegue tenía el permiso de edición y, por lo tanto, los derechos para hacerlo. Un atacante que pueda iniciar sesión en Bamboo como usuario sin el permiso de edición para proyectos de despliegue puede emplear esta vulnerabilidad, siempre y cuando exista un plan con un "green build" para crear un proyecto de despliegue y ejecute código arbitrario en un agente Bamboo disponible. • http://www.securityfocus.com/bid/99090 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-06-14-907283498.html • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 0CVE-2016-5229
https://notcve.org/view.php?id=CVE-2016-5229
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. Atlassian Bamboo en versiones anteriores a 5.11.4.1 y 5.12.x en versiones anteriores a 5.12.3.1 no restringe adecuadamente clases deserializadas permitidas, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores relacionados con XStream Serialization. • http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html http://www.securityfocus.com/archive/1/539003/100/0/threaded http://www.securityfocus.com/bid/92057 https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html https://jira.atlassian.com/browse/BAM-17736 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 90EXPL: 0CVE-2014-9757
https://notcve.org/view.php?id=CVE-2014-9757
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message. La API Ignite Realtime Smack XMPP, como se utiliza en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0, permite a servidores XMPP remotos configurados ejecutar código Java arbitrario a través de datos serializados en un mensaje XMPP. • http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html http://www.securityfocus.com/archive/1/537347/100/0/threaded https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html https://jira.atlassian.com/browse/BAM-17099 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 90EXPL: 0CVE-2015-8361
https://notcve.org/view.php?id=CVE-2015-8361
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port. Múltiples servicios no especificados en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0 no requieren autenticación, lo que permite a atacantes remotos obtener información sensible, modificar ajustes o administrar agentes de construcción a través de vectores desconocidos que involucran al puerto JMS. • http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html http://www.securityfocus.com/archive/1/537347/100/0/threaded https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html https://jira.atlassian.com/browse/BAM-17102 • CWE-284: Improper Access Control •