VYPR

Bamboo

by Atlassian

CVEs (21)

  • CVE-2012-2926CriMay 22, 2012
    risk 0.67cvss 9.1epss 0.67

    Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4.x before 3.4.5; and Crowd before 2.0.9, 2.1 before 2.1.2, 2.2 before 2.2.9, 2.3…

  • CVE-2016-5229CriAug 2, 2016
    risk 0.64cvss 9.8epss 0.07

    Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

  • CVE-2015-8360CriFeb 8, 2016
    risk 0.64cvss 9.8epss 0.03

    An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.

  • CVE-2014-9757CriFeb 8, 2016
    risk 0.64cvss 9.8epss 0.02

    The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XMPP servers to execute arbitrary Java code via serialized data in an XMPP message.

  • CVE-2017-14589CriDec 13, 2017
    risk 0.63cvss 9.6epss 0.02

    It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute…

  • CVE-2017-14590CriDec 13, 2017
    risk 0.59cvss 9.1epss 0.02

    Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan that has a non-linked Mercurialrepository, create or edit a plan when there is at least…

  • CVE-2015-8361CriFeb 8, 2016
    risk 0.59cvss 9.1epss 0.03

    Multiple unspecified services in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 do not require authentication, which allows remote attackers to obtain sensitive information, modify settings, or manage build agents via unknown vectors involving the JMS port.

  • CVE-2018-5224HigMar 29, 2018
    risk 0.57cvss 8.8epss 0.03

    Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked…

  • CVE-2017-18080HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2017-18042HigFeb 2, 2018
    risk 0.57cvss 8.8epss 0.01

    The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.

  • CVE-2017-9514HigOct 12, 2017
    risk 0.57cvss 8.8epss 0.01

    Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a REST endpoint that parsed a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code…

  • CVE-2015-6576HigOct 3, 2017
    risk 0.57cvss 8.8epss 0.04

    Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

  • CVE-2017-8907HigJun 14, 2017
    risk 0.57cvss 8.8epss 0.02

    Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correctly check if a user creating a deployment project had the edit permission and therefore the rights to do so. An attacker who can login to Bamboo as a user without the edit permission for deployment projects…

  • CVE-2017-18081MedFeb 2, 2018
    risk 0.40cvss 6.1epss 0.01

    The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.

  • CVE-2017-18082MedFeb 2, 2018
    risk 0.35cvss 5.4epss 0.01

    The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.

  • CVE-2017-18041MedFeb 2, 2018
    risk 0.35cvss 5.4epss 0.01

    The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

  • CVE-2017-18040MedFeb 2, 2018
    risk 0.35cvss 5.4epss 0.01

    The viewDeploymentVersionCommits resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

  • CVE-2022-26137Jul 20, 2022
    risk 0.00cvss epss 0.02

    A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this…

  • CVE-2022-26136Jul 20, 2022
    risk 0.00cvss epss 0.04

    A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in…

  • CVE-2021-26067Jan 28, 2021
    risk 0.00cvss epss 0.01

    Affected versions of Atlassian Bamboo allow an unauthenticated remote attacker to view a stack trace that may reveal the path for the home directory in disk and if certain files exists on the tmp directory, via a Sensitive Data Exposure vulnerability in the /chart endpoint. The…

Page 1 of 2