[BSERV-10439] Race condition in auto-unapprove plugin - CVE-2017-16857 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end.
This allows an attacker to merge any code into unsuspecting repositories.

All versions before version 3.0.1 of the auto-unapprove plugin are affected, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket

Form Name

No work has yet been logged on this issue.

Assignee:: Kristy

Reporter:: Kristy

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 04/Dec/2017 2:24 AM

Updated:: 24/Oct/2018 5:04 AM

Resolved:: 04/Dec/2017 11:20 PM

Details

Description

Attachments

Forms

Activity

[BSERV-10439] Race condition in auto-unapprove plugin - CVE-2017-16857

People

Dates

Backbone Issue Sync