Bamboo
by Atlassian
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-2926 | Cri | 0.67 | 9.1 | 0.67 | May 22, 2012 | Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3… | ||
| CVE-2016-5229 | Cri | 0.64 | 9.8 | 0.07 | Aug 2, 2016 | Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization. | ||
| CVE-2015-8360 | Cri | 0.64 | 9.8 | 0.03 | Feb 8, 2016 | An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port. | ||
| CVE-2014-9757 | Cri | 0.64 | 9.8 | 0.02 | Feb 8, 2016 | The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message. | ||
| CVE-2017-14589 | Cri | 0.63 | 9.6 | 0.02 | Dec 13, 2017 | It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute… | ||
| CVE-2017-14590 | Cri | 0.59 | 9.1 | 0.02 | Dec 13, 2017 | Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least… | ||
| CVE-2015-8361 | Cri | 0.59 | 9.1 | 0.03 | Feb 8, 2016 | Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port. | ||
| CVE-2018-5224 | Hig | 0.57 | 8.8 | 0.03 | Mar 29, 2018 | Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked… | ||
| CVE-2017-18080 | Hig | 0.57 | 8.8 | 0.01 | Feb 2, 2018 | The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2017-18042 | Hig | 0.57 | 8.8 | 0.01 | Feb 2, 2018 | The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability. | ||
| CVE-2017-9514 | Hig | 0.57 | 8.8 | 0.01 | Oct 12, 2017 | Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code… | ||
| CVE-2015-6576 | Hig | 0.57 | 8.8 | 0.04 | Oct 3, 2017 | Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | ||
| CVE-2017-8907 | Hig | 0.57 | 8.8 | 0.02 | Jun 14, 2017 | Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects… | ||
| CVE-2017-18081 | Med | 0.40 | 6.1 | 0.01 | Feb 2, 2018 | The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie. | ||
| CVE-2017-18082 | Med | 0.35 | 5.4 | 0.01 | Feb 2, 2018 | The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch. | ||
| CVE-2017-18041 | Med | 0.35 | 5.4 | 0.01 | Feb 2, 2018 | The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. | ||
| CVE-2017-18040 | Med | 0.35 | 5.4 | 0.01 | Feb 2, 2018 | The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release. | ||
| CVE-2022-26137 | 0.00 | — | 0.02 | Jul 20, 2022 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this… | |||
| CVE-2022-26136 | 0.00 | — | 0.04 | Jul 20, 2022 | A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in… | |||
| CVE-2021-26067 | 0.00 | — | 0.01 | Jan 28, 2021 | Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The… |
- risk 0.67cvss 9.1epss 0.67
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3…
- risk 0.64cvss 9.8epss 0.07
Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.
- risk 0.64cvss 9.8epss 0.03
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
- risk 0.64cvss 9.8epss 0.02
The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.
- risk 0.63cvss 9.6epss 0.02
It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute…
- risk 0.59cvss 9.1epss 0.02
Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least…
- risk 0.59cvss 9.1epss 0.03
Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.
- risk 0.57cvss 8.8epss 0.03
Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked…
- risk 0.57cvss 8.8epss 0.01
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
- risk 0.57cvss 8.8epss 0.01
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
- risk 0.57cvss 8.8epss 0.01
Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code…
- risk 0.57cvss 8.8epss 0.04
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
- risk 0.57cvss 8.8epss 0.02
Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…
- risk 0.40cvss 6.1epss 0.01
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
- risk 0.35cvss 5.4epss 0.01
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
- risk 0.35cvss 5.4epss 0.01
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
- risk 0.35cvss 5.4epss 0.01
The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.
- CVE-2022-26137Jul 20, 2022risk 0.00cvss —epss 0.02
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this…
- CVE-2022-26136Jul 20, 2022risk 0.00cvss —epss 0.04
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in…
- CVE-2021-26067Jan 28, 2021risk 0.00cvss —epss 0.01
Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The…
Page 1 of 2