CVE-2016-5229

critical

Published 2016-08-02 · Modified 2026-05-06

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html

Application impact

Vendor	Product	Versions
atlassian	bamboo	`{"endIncluding":"5.11.3"}`
atlassian	bamboo	`5.12.0`
atlassian	bamboo	`5.12.1`
atlassian	bamboo	`5.12.2`

References

http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
http://www.securityfocus.com/archive/1/539003/100/0/threaded
http://www.securityfocus.com/bid/92057
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
https://jira.atlassian.com/browse/BAM-17736
http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
http://www.securityfocus.com/archive/1/539003/100/0/threaded
http://www.securityfocus.com/bid/92057
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
https://jira.atlassian.com/browse/BAM-17736

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.