CyberSec.Space Logo
Back to CVE Browser

CVE-2017-14589

CRITICAL
9.6
CVSS Severity Score
EPSS Score0.0260%
EPSS Percentile5.47th
PublishedDec 13, 2017
Last ModifiedMay 13, 2026

Vulnerability Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Affected Platforms (CPE)

πŸ“¦
Atlassian

Bamboo

< 6.1.6
πŸ“¦
Atlassian

Bamboo

>= 6.2.0 and < 6.2.5

References & Advisories

πŸ”— http://www.securityfocus.com/bid/102188
πŸ”— https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html
πŸ”— https://jira.atlassian.com/browse/BAM-18842
πŸ”— http://www.securityfocus.com/bid/102188
πŸ”— https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html
πŸ”— https://jira.atlassian.com/browse/BAM-18842

Related Vulnerabilities

CVE-2014-97579.8

The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote configured XM...

CVE-2015-83609.8

An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute arbitrary Jav...

CVE-2021-378439.8

The resolution SAML SSO apps for Atlassian products allow a remote attacker to login to a user account when only the username is k...

CVE-2016-52299.8

Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes, which allow...