[BSERV-10439] Race condition in auto-unapprove plugin - CVE-2017-16857 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: High
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end.
This allows an attacker to merge any code into unsuspecting repositories.

All versions before version 3.0.1 of the auto-unapprove plugin are affected, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket

Attachments

Activity

People

Assignee:: Kristy Hughes

Reporter:: Kristy Hughes

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 04/Dec/2017 2:24 AM

Updated:: 24/Oct/2018 5:04 AM

Resolved:: 04/Dec/2017 11:20 PM