• Type: Bug
• Resolution: Fixed
• Priority: High
• Fix Version/s: 5.5.0, 5.4.1, 5.1.7, 5.2.5, 5.3.3
• Affects Version/s: 5.1.0, 5.2.0, 5.3.0, 5.4.0
• Component/s: None
• Labels:

  • CVE-2017-18087
  • advisory
  • advisory-released
  • bugbounty
  • command-injection
  • cvss-high
  • injection
  • security

[BSERV-10593] Argument injection in the download commit resource through the at parameter - CVE-2017-18087

Richard Atkins made changes - 05/Dec/2019 1:30 AM

Labels

Original: CVE-2017-18087 advisory advisory-released bugbounty command-injection cvss-high security

New: CVE-2017-18087 advisory advisory-released bugbounty command-injection cvss-high injection security

Owen made changes - 10/Apr/2019 6:47 AM

Workflow

Original: Stash Workflow - Restricted [ 2594774 ]

New: JAC Bug Workflow v3 [ 3137278 ]

Owen made changes - 24/Oct/2018 5:01 AM

Symptom Severity

Original: Critical [ 14430 ]

New: Severity 1 - Critical [ 15830 ]

Lucy made changes - 20/Mar/2018 12:29 AM

Remote Link

New: This issue links to "Page (Extranet)" [ 357235 ]

David Black made changes - 16/Feb/2018 3:23 AM

Labels

Original: CVE-2017-18087 advisory advisory-to-release bugbounty command-injection cvss-high security

New: CVE-2017-18087 advisory advisory-released bugbounty command-injection cvss-high security

David Black made changes - 15/Feb/2018 4:16 AM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 14/Feb/2018 7:01 AM

Labels

Original: advisory advisory-to-release bugbounty command-injection cvss-high security

New: CVE-2017-18087 advisory advisory-to-release bugbounty command-injection cvss-high security

David Black made changes - 14/Feb/2018 6:42 AM

Summary

Original: Argument injection in the download commit resource - CVE-2017-18087

New: Argument injection in the download commit resource through the at parameter - CVE-2017-18087

David Black made changes - 14/Feb/2018 6:41 AM

Description

Original: The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability.

New: The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter.

David Black made changes - 14/Feb/2018 6:38 AM

Description

Original: The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3, and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability.

New: The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability.

Load more older events