Bamboo is a continuous integration and deployment tool developed by Atlassian, that ties automated builds, tests and releases together in a single workflow.
Affected versions of Bamboo have a REST endpoint that parses a YAML file that fails to sufficiently restrict which classes can be loaded, allowing an authenticated user to execute Java code on the targeted machine.
Bamboo 6.0.x prior to 6.0.5
Bamboo 6.1.x prior to 6.1.4
Bamboo 6.2.x prior to 6.2.1
QID Detection Logic:
This unauthenticated QID retrieves vulnerable versions by transmitting a request to the /userlogin!doDefault.action resource of a Atlassian Bamboo installation.
An attacker who can log in to Bamboo as a user is able to exploit this vulnerability to execute Java code of their choice on systems that have vulnerable versions of Bamboo.