CVE-2016-5229 - Deserialisation resulting in remote code execution caused by insufficient restriction on permitted deserialised classes

Bamboo had a resource that deserialised input from build agents and did not sufficiently restrict which classes could be deserialised. To exploit this issue, attackers need to have a valid Bamboo agent fingerprint or be able to run code on a Bamboo agent.

Affected versions:

• All versions of Bamboo from 2.3.1 before 5.11.4.1 (the fixed version for 5.11.x) and from 5.12.0 before 5.12.3.1 (the fixed version for 5.12.x) are affected by this vulnerability.

\
Fix:

• Bamboo 5.12.3.1 is available for download from https://www.atlassian.com/software/bamboo/download.
• Bamboo 5.11.4.1 is available for download from https://www.atlassian.com/software/bamboo/download-archives.

\
Acknowledgements:
We would like to credit Moritz Bechler of AgNO3 for reporting this issue to us.

\
For additional details see the [full advisory|https://confluence.atlassian.com/x/rSGSMQ].