CVE-2016-5229

Опубликовано: 02 авг. 2016

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

Ссылки

http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
Third Party Advisory
VDB Entry
http://www.securityfocus.com/archive/1/539003/100/0/threaded
http://www.securityfocus.com/bid/92057
Third Party Advisory
VDB Entry
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
Vendor Advisory
https://jira.atlassian.com/browse/BAM-17736
Issue Tracking
http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
Third Party Advisory
VDB Entry
http://www.securityfocus.com/archive/1/539003/100/0/threaded
http://www.securityfocus.com/bid/92057
Third Party Advisory
VDB Entry
https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
Vendor Advisory
https://jira.atlassian.com/browse/BAM-17736
Issue Tracking

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*

Версия до 5.11.3 (включая)

cpe:2.3:a:atlassian:bamboo:5.12.0:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bamboo:5.12.1:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bamboo:5.12.2:*:*:*:*:*:*:*

EPSS

Процентиль: 90%

0.0603

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-284

Связанные уязвимости

GHSA-j677-8364-49vm