Critical severity9.6NVD Advisory· Published Dec 13, 2017· Updated May 13, 2026

CVE-2017-14589

Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Affected products

Atlassian/Bamboov5
Range: before 6.1.6 (the fixed version for 6.1.x)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/102188nvdThird Party AdvisoryVDB Entry
confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.htmlnvdVendor Advisory
jira.atlassian.com/browse/BAM-18842nvdIssue TrackingVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.624
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000