[BSERV-10593] Argument injection in the download commit resource through the at parameter - CVE-2017-18087 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 5.5.0, 5.4.1, 5.1.7, 5.2.5, 5.3.3
Affects Version/s: 5.1.0, 5.2.0, 5.3.0, 5.4.0
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter.

mentioned in: Page Failed to load

Form Name

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 02/Feb/2018 12:11 AM

Updated:: 05/Dec/2019 1:30 AM

Resolved:: 02/Feb/2018 3:13 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[BSERV-10593] Argument injection in the download commit resource through the at parameter - CVE-2017-18087

People

Dates

Backbone Issue Sync