CVE-2014-9757
Bamboo Deserialization / Missing Authentication Checks
Severity Score
Exploit Likelihood
Affected Versions
90Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
La API Ignite Realtime Smack XMPP, como se utiliza en Atlassian Bamboo en versiones anteriores a 5.9.9 y 5.10.x en versiones anteriores a 5.10.0, permite a servidores XMPP remotos configurados ejecutar código Java arbitrario a través de datos serializados en un mensaje XMPP.
Bamboo suffers from deserialization and missing authentication check vulnerabilities. This advisory discloses multiple critical severity security vulnerabilities of which the earliest vulnerability was introduced in version 2.3.1 of Bamboo. Versions of Bamboo starting with 2.3.1 before 5.9.9 (the fixed version for 5.9.x) are vulnerable.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-11-25 CVE Reserved
- 2016-01-22 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authe... | X_refsource_misc |
|
| http://www.securityfocus.com/archive/1/537347/100/0/threaded | Mailing List |
| URL | Date | SRC |
|---|