[BSERV-10439] Race condition in auto-unapprove plugin - CVE-2017-16857 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end.
This allows an attacker to merge any code into unsuspecting repositories.

All versions before version 3.0.1 of the auto-unapprove plugin are affected, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket

Matt Hart (Inactive) added a comment - 05/Dec/2017 5:13 AM

CVSS v3 score: 8.5 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

Matt Hart (Inactive) added a comment - 05/Dec/2017 5:13 AM CVSS v3 score: 8.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High

Kristy added a comment - 04/Dec/2017 11:20 PM

Fixed in 3.0.1 of stash-auto-unapprove-plugin

Kristy added a comment - 04/Dec/2017 11:20 PM Fixed in 3.0.1 of stash-auto-unapprove-plugin

Kristy added a comment - 04/Dec/2017 2:43 AM

This is being fixed in https://bitbucket.org/atlassian/stash-auto-unapprove-plugin/pull-requests/27/bserv-10439-add-merge-check-that-prevents

Kristy added a comment - 04/Dec/2017 2:43 AM This is being fixed in https://bitbucket.org/atlassian/stash-auto-unapprove-plugin/pull-requests/27/bserv-10439-add-merge-check-that-prevents

Assignee:: Kristy

Reporter:: Kristy

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 04/Dec/2017 2:24 AM

Updated:: 24/Oct/2018 5:04 AM

Resolved:: 04/Dec/2017 11:20 PM

Bitbucket Data Center

Details

Description

Attachments

Forms

Activity

[BSERV-10439] Race condition in auto-unapprove plugin - CVE-2017-16857

Collapse comment: Matt Hart (Inactive) added a comment - 05/Dec/2017 5:13 AM

Expand comment: Matt Hart (Inactive) added a comment - 05/Dec/2017 5:13 AM

Collapse comment: Kristy added a comment - 04/Dec/2017 11:20 PM

Expand comment: Kristy added a comment - 04/Dec/2017 11:20 PM

Collapse comment: Kristy added a comment - 04/Dec/2017 2:43 AM

Expand comment: Kristy added a comment - 04/Dec/2017 2:43 AM

People

Dates

Backbone Issue Sync