Check out what’s new for ScriptRunner for Bamboo.

ScriptRunner Remote Events Code Execution Vulnerability

An HTTP POST made to /rest/scriptrunner/latest/remote-events with a specially crafted JSON payload could lead to unrestricted Groovy code execution for any logged-in user, regardless of permissions.

This security vulnerability has been fixed in ScriptRunner; it is recommended all customers upgrade to where possible.

If no firewall is enabled, users must update ScriptRunner to include this security patch.

If using a proxy server in front of the application, blocking HTTP requests beginning with rest/scriptrunner/latest/remote-events/* mitigates the vulnerability.


New user interface

The user interface has been rewritten to provide a more user friendly experience. The appearance is very similar to the existing UI.

Customize the UI with Script Fragments

Script Fragments are here for ScriptRunner for Bamboo! Add your own customized elements to the Bamboo user interface. This can range from simple buttons and dialogs to integrations, such as adding a static analysis tab to your build results.

Also with the power to add your own CSS and JavaScript resources with web resources, there are virtually no limits to what you can accomplish.

Script Search within Script File Input

You now have the ability to search for scripts contained within your configured script roots inside ScriptRunner. Wherever you used to be able to paste the path of a script, you can now search for the script directly in the file input. Simply start typing the name of your script and the search will present suggestions that you can select!

Fixes and Features

  • [SRBAM-46] - Script Jobs User Picker does not do user search when editing an existing job
  • [SRBAM-71] - Searching for web fragments is hard to read
  • [SRBAM-85] - Bamboo restart does not startup the plugin correctly
  • [SRBAM-86] - port new UI to bamboo
  • [SRBAM-110] - Can not add new tasks/conditions through the UI for later Bamboo versions
  • [SRBAM-57] - Further build-killing listeners
  • [SRBAM-15] - As an Administrator, I need to install custom web resources to modify the UI of Bamboo
  • [SRBAM-16] - As a Script Developer, I need to know where fragments are located in Bamboo so I know where it is possible to inject my own web items
  • [SRBAM-48] - Switch user - integration testing
  • [SRBAM-50] - Integration Test - View Server Log Files
  • [SRBAM-51] - Integration test - Expired JDK listener
  • [SRBAM-52] - Integration test - Script Jobs
  • [SRBAM-66] - As an Administrator, I need to embed custom web sections in Bamboo in order to get relevant content from outside Bamboo visible to my developers
  • [SRBAM-67] - As an Administrator, I need to embed my own web items so I can help users perform actions relevant to them not available to Bamboo
  • [SRBAM-70] - Specific Use Case: Add a tab to the build that displays information about the build (such as static analysis results)


New Features

Scriptable tasks have been added, which let you easily use different parameters depending on build variables or committed files etc.

Incompatible with previous versions

Unfortunately tasks in this version have different keys. If you had used tasks previously please recreate them. We won’t do this again.



Compatible with Bamboo version 6.x.x.

Have questions? Visit the Atlassian Community to connect, share, and learn with other Atlassian users and experts, including Adaptavist staff.

Ask a question about ScriptRunner for JIRA, Bitbucket Server, or Confluence.

Want to learn more? Check out courses on Adaptavist Learn, an online platform to onboard and train new users for Atlassian solutions.