CyberSec.Space Logo
Back to CVE Browser

CVE-2016-5229

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1390%
EPSS Percentile18.97th
PublishedAug 2, 2016
Last ModifiedMay 6, 2026

Vulnerability Description

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allows remote attackers to execute arbitrary code via vectors related to XStream Serialization.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Bamboo

<= 5.11.3
πŸ“¦
Atlassian

Bamboo

= 5.12.0
πŸ“¦
Atlassian

Bamboo

= 5.12.1
πŸ“¦
Atlassian

Bamboo

= 5.12.2

References & Advisories

πŸ”— http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
πŸ”— http://www.securityfocus.com/archive/1/539003/100/0/threaded
πŸ”— http://www.securityfocus.com/bid/92057
πŸ”— https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2016-07-20-831660461.html
πŸ”— https://jira.atlassian.com/browse/BAM-17736
πŸ”— http://packetstormsecurity.com/files/138053/Bamboo-Deserialization-Issue.html
πŸ”— http://www.securityfocus.com/archive/1/539003/100/0/threaded
πŸ”— http://www.securityfocus.com/bid/92057

Related Vulnerabilities

CVE-2014-97579.8

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XM...

CVE-2015-83609.8

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Jav...

CVE-2021-378439.8

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is k...

CVE-2017-145899.6

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has re...