CVE-2026-21571
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
CWE-78
Neutralización incorrecta de elementos especiales usados en un comando de sistema operativo (Inyección de comando de sistema operativo)
Fecha de publicación:
21/04/2026
Última modificación:
22/04/2026
Descripción
*** Pendiente de traducción *** This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0,<br />
11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.<br />
<br />
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of<br />
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands<br />
on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability,<br />
and requires no user interaction.<br />
<br />
Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade<br />
your instance to one of the specified supported fixed versions:<br />
Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25<br />
Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 <br />
Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6<br />
<br />
See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
Impacto
Puntuación base 4.0
9.40
Gravedad 4.0
CRÍTICA