CVE-2024-21687

moderate-risk

Published 2024-07-16

This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program.

Do I need to act?

1.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / LOW complexity

Affected Products (1)

Bamboo

Affected Vendors

Atlassian

References (4)

Vendor Advisory https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917

Vendor Advisory https://jira.atlassian.com/browse/BAM-25822

Vendor Advisory https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917

Vendor Advisory https://jira.atlassian.com/browse/BAM-25822

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal