Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-11947

Argument Injection - CVE-2019-15000

XMLWordPrintable

      Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

      Affected versions:

      • All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

      What You Need to Do

      Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the release notes. You can download the latest version of Bitbucket Server from the download center.

      Fix:

      • Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from here
      • Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from here

      Mitigation

      To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.

      The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

      Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.

      This hotfix covers:

      • Standard Bitbucket functionality and features
      • Bitbucket Server and Data Center versions 4.0.0 and later
      • Bitbucket Server and Data Center instances

      To install the hotfix:

      This hotfix is a zero down time installation - No restart is required after installing the hotfix.

      1. Login to Bitbucket with your administrator account
      2. Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
      3. Select “Upload App” and provide the URL: bitbucket-bserv-11896-hotfix-1.0.0.jar
      4. Click “Upload” and wait for the hotfix to install.

      If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

      After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

       

      For additional details, see the full advisory.

        1. bitbucket-bserv-11896-hotfix-1.0.0.jar
          14 kB

          Form Name

            [BSERV-11947] Argument Injection - CVE-2019-15000

            David Black made changes -
            Labels Original: advisory advisory-to-release argument-injection bugbounty cvss-critical injection security New: advisory advisory-released argument-injection bugbounty cvss-critical injection security
            Said made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 471239 ]
            Richard Atkins made changes -
            Labels Original: advisory advisory-to-release argument-injection bugbounty cvss-critical security New: advisory advisory-to-release argument-injection bugbounty cvss-critical injection security
            Brian Adeloye (Inactive) made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Michael Andreacchio made changes -
            Description Original: eBitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

            * Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            h3. *Mitigation*

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].             		New: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

            * Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            h3. *Mitigation*

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].
            Michael Andreacchio made changes -
            Description Original: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

            * Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].             		New: eBitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

            * Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            h3. *Mitigation*

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].
            Michael Andreacchio made changes -
            Description Original: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

             * Bitbucket Server & Bitbucket Data Center version 6.6.0 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.5.2 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.4.3 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.3.5 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.2.6 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.1.8 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.0.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 5.16.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].             		New: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

            * Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            * Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].
            Michael Andreacchio made changes -
            Description Original: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
             * Bitbucket Server & Bitbucket Data Center version 6.6.1 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download/]

             * Bitbucket Server & Bitbucket Data Center version 6.6.0 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.5.2 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.4.3 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.3.5 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.2.6 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.1.8 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.0.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 5.16.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].             		New: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
            * Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

             * Bitbucket Server & Bitbucket Data Center version 6.6.0 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.5.2 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.4.3 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.3.5 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.2.6 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.1.8 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.0.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 5.16.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].
            Tomasz Tokarczuk (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 450616 ]
            David Black made changes -
            Description Original: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
             * Bitbucket Server & Bitbucket Data Center version 6.6.1 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download/]

             * Bitbucket Server & Bitbucket Data Center version 6.6.0 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.5.2 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.4.3 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.3.5 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.2.6 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.1.8 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.0.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 5.16.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account

             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“

             # Select “Upload App” and provide the URL: {{https://jira.atlassian.com/secure/attachment/376655/bitbucket-bserv-11896-hotfix-1.0.0.jar}}

             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].             		New: Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

            *Affected versions:*
             * All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. 

            h3. *What You Need to Do*

            Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

            *Fix*:
             * Bitbucket Server & Bitbucket Data Center version 6.6.1 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download/]

             * Bitbucket Server & Bitbucket Data Center version 6.6.0 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.5.2 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.4.3 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.3.5 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.2.6 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.1.8 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 6.0.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

             * Bitbucket Server & Bitbucket Data Center version 5.16.10 contains a fix for this issue and is available for download from [https://www.atlassian.com/software/bitbucket/download-archives]

            h3. Mitigation

            To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
            {panel:bgColor=#ffffce}
            The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

            Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the _standard_ _functionality_ of Bitbucket.
            {panel}
            *This hotfix covers:*
             * Standard Bitbucket functionality and features
             * Bitbucket Server and Data Center versions 4.0.0 and later
             * Bitbucket Server and Data Center instances

            h4. To install the hotfix:

            This hotfix is a _zero down time installation_ - No restart is required after installing the hotfix.
             # Login to Bitbucket with your administrator account
             # Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“
             # Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}
             # Click “Upload” and wait for the hotfix to install.

            If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

            After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

             

            For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: