CVE-2017-14589

CVE Database · CVE-2017-14589

CVE-2017-14589

· N/AModified

CVSS v3.1

N/A

EPSS

1.87%

Published

Dec 13, 2017

Modified

May 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker who has restricted administration rights to Bamboo or who hosts a website that a Bamboo administrator visits, is able to exploit this vulnerability to execute Java code of their choice on systems that run a vulnerable version of Bamboo. All versions of Bamboo before 6.1.6 (the fixed version for 6.1.x) and from 6.2.0 before 6.2.5 (the fixed version for 6.2.x) are affected by this vulnerability.

Weaknesses (CWE)

CWE-20

Affected Products (2)

atlassian · bamboo (up to 6.1.6)vulnerable

atlassian · bamboo (up to 6.2.5)vulnerable

References (6)

http://www.securityfocus.com/bid/102188

Third Party AdvisoryVDB Entry

https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html

Vendor Advisory

https://jira.atlassian.com/browse/BAM-18842

Issue TrackingVendor Advisory

http://www.securityfocus.com/bid/102188

Third Party AdvisoryVDB Entry

https://confluence.atlassian.com/bamboo/bamboo-security-advisory-2017-12-13-939939816.html

Vendor Advisory

https://jira.atlassian.com/browse/BAM-18842

KEV Catalog EPSS Scores Vendors All CVEs