Published: 03/10/2017 Updated: 03/05/2019

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Bamboo 2.2 prior to 5.8.5 and 5.9.x prior to 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.

Vulnerable Product	Search on Vulmon	Subscribe to Product
atlassian bamboo

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Java Deserialization Of Untrusted Data Here there are practical examples of the - deserialization of untrusted data - vulnerability These pocs use the ysoserial tool to generate exploits Pocs Minimal Example Use OpenJDK 18 cd MinimalExample java -jar /ysoserial-master-v005-gb617b7b-16jar CommonsCollections6 "/tmp/exploitsh">payloadser cp /exploit

Some PoC (Proof-of-Concept) about vulnerability of java deserialization of untrusted data

Java Deserialization Of Untrusted Data Here there are practical examples of the - deserialization of untrusted data - vulnerability These pocs use the ysoserial tool to generate exploits Pocs Minimal Example Use OpenJDK 18 cd MinimalExample java -jar /ysoserial-master-v005-gb617b7b-16jar CommonsCollections6 "/tmp/exploitsh">payloadser cp /exploit

A PoC for the Bamboo deserialization exploit

CVE-2015-6576 A PoC for the Bamboo deserialization exploit

CWE-94 https://jira.atlassian.com/browse/BAM-16439 https://confluence.atlassian.com/x/Hw7RLg http://packetstormsecurity.com/files/134065/Bamboo-Java-Code-Execution.html http://www.securityfocus.com/archive/1/536747/100/0/threaded https://nvd.nist.gov https://github.com/EdoardoVignati/java-deserialization-of-untrusted-data-poc

CVE-2015-6576

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect