CVE-2023-46604 - Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server


On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

CVE-2023-46604 - Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server

SummaryCVE-2023-46604 - Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server
Advisory Release DateThu, Nov 09 2023 04:30 PST
  • Bamboo Data Center
  • Bamboo Server
CVE IDCVE-2023-46604
Related Jira Ticket(s)

Summary of Vulnerability

Bamboo utilizes a third-party library ActiveMQ as part of its core services. Apache Active MQ has published a vulnerability (CVE-2023-46604) that allows Remote Code Execution (RCE). Because of the high severity of this Active MQ CVE, in the abundance of caution, we are publishing this advisory ahead of our regular schedule of advisories.


Apache Active MQ rates the severity level of this vulnerability as critical (10.0 with the following vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).
Atlassian recommends you should evaluate its applicability to your own IT environment. 

Affected Versions

This RCE (Remote Code Execution) vulnerability affects all versions prior to the listed fix versions of Bamboo Data Center and Server. Atlassian recommends patching to the fixed LTS version or later.

ProductAffected Versions
Bamboo Data Center and ServerAll versions are affected

What You Need To Do

Immediately patch to a fixed version

Atlassian recommends that you patch each of your affected installations to one of the listed fixed versions (or any later version) below.

ProductFixed Versions
Bamboo Data Center and Server
  • 9.2.7 or later
  • 9.3.5 or later
  • 9.4.1 or later

Apply temporary mitigations if unable to patch

Alternatively, as an interim measure if you cannot upgrade, ensure that the Bamboo server is behind a firewall/VPC and only allows connections to the ActiveMQ broker ports from trusted sources.

The default ports for ActiveMQ are:

  • TCP/54663
  • TCP/54664
  • TCP/54665

Please note these ports can be customized, please refer to the FAQ for further information.

Note: These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible.


If you did not receive an email for this advisory, and you wish to receive such emails in the future go to and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at


Security Bug Fix PolicyAs per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Security Levels for Security IssuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details.
Last modified on Nov 9, 2023

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.