CVE-2015-8360
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Java code via serialized data to the JMS port.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://jira.atlassian.com/browse/BAM-17101
Vendor advisory: cve@mitre.org — https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| atlassian | bamboo | 2.3.1 | |
| atlassian | bamboo | 2.4 | |
| atlassian | bamboo | 2.4.1 | |
| atlassian | bamboo | 2.4.2 | |
| atlassian | bamboo | 2.4.3 | |
| atlassian | bamboo | 2.5 | |
| atlassian | bamboo | 2.5.1 | |
| atlassian | bamboo | 2.5.2 | |
| atlassian | bamboo | 2.5.3 | |
| atlassian | bamboo | 2.5.5 | |
| atlassian | bamboo | 2.6 | |
| atlassian | bamboo | 2.6.1 | |
| atlassian | bamboo | 2.6.2 | |
| atlassian | bamboo | 2.6.3 | |
| atlassian | bamboo | 2.7 | |
| atlassian | bamboo | 2.7.1 | |
| atlassian | bamboo | 2.7.2 | |
| atlassian | bamboo | 2.7.3 | |
| atlassian | bamboo | 2.7.4 | |
| atlassian | bamboo | 3.0 | |
| atlassian | bamboo | 3.0.1 | |
| atlassian | bamboo | 3.0.2 | |
| atlassian | bamboo | 3.0.3 | |
| atlassian | bamboo | 3.1 | |
| atlassian | bamboo | 3.1.1 | |
| atlassian | bamboo | 3.1.3 | |
| atlassian | bamboo | 3.1.4 | |
| atlassian | bamboo | 3.2 | |
| atlassian | bamboo | 3.2.2 | |
| atlassian | bamboo | 3.3 | |
| atlassian | bamboo | 3.3.1 | |
| atlassian | bamboo | 3.3.2 | |
| atlassian | bamboo | 3.3.3 | |
| atlassian | bamboo | 3.3.4 | |
| atlassian | bamboo | 3.4 | |
| atlassian | bamboo | 3.4.1 | |
| atlassian | bamboo | 3.4.2 | |
| atlassian | bamboo | 3.4.3 | |
| atlassian | bamboo | 3.4.4 | |
| atlassian | bamboo | 3.4.5 | |
| atlassian | bamboo | 4.0 | |
| atlassian | bamboo | 4.0.1 | |
| atlassian | bamboo | 4.1 | |
| atlassian | bamboo | 4.1.1 | |
| atlassian | bamboo | 4.1.2 | |
| atlassian | bamboo | 4.2 | |
| atlassian | bamboo | 4.2.1 | |
| atlassian | bamboo | 4.3 | |
| atlassian | bamboo | 4.3.1 | |
| atlassian | bamboo | 4.3.2 | |
| atlassian | bamboo | 4.3.3 | |
| atlassian | bamboo | 4.3.4 | |
| atlassian | bamboo | 4.4 | |
| atlassian | bamboo | 4.4.1 | |
| atlassian | bamboo | 4.4.2 | |
| atlassian | bamboo | 4.4.3 | |
| atlassian | bamboo | 4.4.4 | |
| atlassian | bamboo | 4.4.5 | |
| atlassian | bamboo | 4.4.8 | |
| atlassian | bamboo | 5.0 | |
| atlassian | bamboo | 5.0.1 | |
| atlassian | bamboo | 5.1 | |
| atlassian | bamboo | 5.1.1 | |
| atlassian | bamboo | 5.2 | |
| atlassian | bamboo | 5.2.1 | |
| atlassian | bamboo | 5.2.2 | |
| atlassian | bamboo | 5.3 | |
| atlassian | bamboo | 5.4 | |
| atlassian | bamboo | 5.4.1 | |
| atlassian | bamboo | 5.4.2 | |
| atlassian | bamboo | 5.5 | |
| atlassian | bamboo | 5.6 | |
| atlassian | bamboo | 5.6.1 | |
| atlassian | bamboo | 5.6.2 | |
| atlassian | bamboo | 5.7 | |
| atlassian | bamboo | 5.7.1 | |
| atlassian | bamboo | 5.7.2 | |
| atlassian | bamboo | 5.8 | |
| atlassian | bamboo | 5.8.1 | |
| atlassian | bamboo | 5.8.2 | |
| atlassian | bamboo | 5.8.5 | |
| atlassian | bamboo | 5.9 | |
| atlassian | bamboo | 5.9.1 | |
| atlassian | bamboo | 5.9.2 | |
| atlassian | bamboo | 5.9.3 | |
| atlassian | bamboo | 5.9.4 | |
| atlassian | bamboo | 5.9.7 | |
References
- http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html
- http://www.securityfocus.com/archive/1/537347/100/0/threaded
- https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html
- https://jira.atlassian.com/browse/BAM-17101
- http://packetstormsecurity.com/files/135352/Bamboo-Deserialization-Missing-Authentication-Checks.html
- http://www.securityfocus.com/archive/1/537347/100/0/threaded
- https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-01-20-794376535.html
- https://jira.atlassian.com/browse/BAM-17101
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.