PT-2020-5035 · Atlassian+6 · Bamboo Data Center/Server+7

Published

2020-11-16

Updated

2025-09-29

CVE-2020-26217

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions XStream versions prior to 1.4.14 Bamboo Data Center and Server version 9.2.1

Description The issue exists due to the lack of neutralization of special elements used in operating system commands. This may allow a remote attacker to execute arbitrary code by manipulating the processed input stream. Only users relying on blocklists are affected, while those using XStream's Security Framework allowlist are not.

Recommendations For XStream versions prior to 1.4.14, upgrade to version 1.4.14 or later. For Bamboo Data Center and Server version 9.2.1, upgrade to a release greater than or equal to 9.2.8. As a temporary workaround for users who cannot upgrade, consider using the code workarounds provided in the advisory. Restrict access to the vulnerable XStream library to minimize the risk of exploitation until the issue is resolved.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALSA-2025_16880

BDU:2020-05622

BIT-ACTIVEMQ-2020-26217

CESA-2021_0162

CVE-2020-26217

DLA-2471-1

DSA-4811-1

ELSA-2021-0162

GHSA-MW36-7C6C-Q4Q2

OPENSUSE-SU-2021:0140-1

OPENSUSE-SU-2021_0140-1

OPENSUSE-SU-2024:10592-1

RHSA-2021:0162

RHSA-2021_0162

SUSE-SU-2021:0176-1

SUSE-SU-2021:0906-1

SUSE-SU-2021_0176-1

USN-4714-1

USN-4943-1

USN-6978-1

Affected Products

Bamboo

Bamboo Data Center/Server

Centos

Linuxmint

Red Hat

Suse

Ubuntu

Xstream

PT-2020-5035 · Atlassian+6 · Bamboo Data Center/Server+7

CVE-2020-26217

Weakness Enumeration

Related Identifiers

Affected Products

References · 126