CVE-2024-21687
CVE-2024-21687 is a high-severity vulnerability in Atlassian Bamboo with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-98.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 1% (50th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-19303
- Weakness: CWE-98
- Affected product: Atlassian Bamboo
- Published:
- Last modified:
Description
This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program.
Frequently asked questions
- What is CVE-2024-21687?
- This High severity File Inclusion vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0 and 9.6.0 of Bamboo Data Center and Server. This File Inclusion vulnerability, with a CVSS Score of 8.1, allows an authenticated attacker to get the application to display the contents of a local file, or execute a different files already stored locally on the server which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). You can download the latest version of Bamboo Data Center and Server from the download center (https://www.atlassian.com/software/bamboo/download-archives). This vulnerability was reported via our Bug Bounty program.
- How severe is CVE-2024-21687?
- CVE-2024-21687 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2024-21687 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (50th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-21687?
- CVE-2024-21687 affects Atlassian Bamboo. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-21687?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-21687 have an EU (EUVD) identifier?
- Yes. CVE-2024-21687 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19303.
- When was CVE-2024-21687 published?
- CVE-2024-21687 was published on 2024-07-16 and last updated on 2026-06-17.
References
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917
- https://jira.atlassian.com/browse/BAM-25822
Affected products (1)
- cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Bamboo
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2016-5229 — Critical (CVSS 9.8): Atlassian Bamboo before 5.11.4.1 and 5.12.x before 5.12.3.1 does not properly restrict permitted deserialized classes,…
- CVE-2015-8360 — Critical (CVSS 9.8): An unspecified resource in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0 allows remote attackers to execute…
- CVE-2014-9757 — Critical (CVSS 9.8): The Ignite Realtime Smack XMPP API, as used in Atlassian Bamboo before 5.9.9 and 5.10.x before 5.10.0, allows remote…
- CVE-2017-14589 — Critical (CVSS 9.6): It was possible for double OGNL evaluation in FreeMarker templates through Struts FreeMarker tags to occur. An attacker…
- CVE-2017-14590 — Critical (CVSS 9.1): Bamboo did not check that the name of a branch in a Mercurial repository contained argument parameters. An attacker who…
All CVEs affecting Atlassian Bamboo →
Other CWE-98 (PHP Remote File Inclusion) vulnerabilities
- CVE-2025-25174 — Critical (CVSS 10.0): Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability…
- CVE-2012-10025 — Critical (CVSS 10.0): The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI)…
- CVE-2026-41228 — Critical (CVSS 9.9): Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint…
- CVE-2025-31340 — Critical (CVSS 9.9): A improper control of filename for include/require statement in PHP program vulnerability in the retrieve course…
- CVE-2023-5199 — Critical (CVSS 9.9): The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and…
- CVE-2026-7515 — Critical (CVSS 9.8): The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0…
Browse all CWE-98 (PHP Remote File Inclusion) vulnerabilities →