-
Type:
Bug
-
Resolution: Fixed
-
Priority:
High
-
None
-
Affects Version/s: None
-
Component/s: None
-
Severity 2 - Major
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end.
This allows an attacker to merge any code into unsuspecting repositories.
All versions before version 3.0.1 of the auto-unapprove plugin are affected, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket