Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
High
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Symptom Severity:Severity 2 - Major
-
Bug Fix Policy:
Description
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end.
This allows an attacker to merge any code into unsuspecting repositories.
All versions before version 3.0.1 of the auto-unapprove plugin are affected, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket