H-ISAC TLP White Vulnerability Bulletin: Remote Code Execution Flaw in Atlassian Bamboo Data Center and Server

On August 20, 2024, Atlassian released a security advisory to address a high-severity vulnerability affecting its Bamboo Data Center and Server software.

Bamboo Data Center and Server is a continuous integration and continuous delivery (CI/CD) server that automates the building, testing, and deployment of software applications.

Health-ISAC provides this information for situational awareness and encourages users to update vulnerable Atlassian Bamboo Data Center and Server instances.

The vast scope of the platform’s utility regarding its managing and automation of the entire software development lifecycle influences code versioning, deployment, and production environments.

Due to these far-reaching impacts, exploitation of vulnerable instances may have the potential to compromise entire software development pipelines. 

The vulnerability, identified as CVE-2024-21689, has a 7.6 CVSS score and is a privilege escalation security flaw that affects Bamboo Data Center and Server versions 9.1.0 through 9.6.0.

Successful exploitation by an authenticated attacker allows for the execution of arbitrary code within the Bamboo environment that can negatively impact the confidentiality, integrity, and availability of vulnerable Bamboo instances.

View the detailed bulletin below.