[BSERV-11960] Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 6.6.0
Affects Version/s: 6.3.4, 6.4.2, 6.5.1, 6.1.7, 5.16.9, 6.0.9, 6.2.5, 6.5.2
Component/s: System Administration - Troubleshooting and Support Tools (ATST)
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Bitbucket Server & Bitbucket Data Center before version 6.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

is related to

BAM-20647 Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

Closed

CONFSERVER-58924 Improper Authorization in Confluence Server through ATST Plugin - CVE-2019-15005

Closed

CWD-5466 Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

Closed

FE-7226 Improper Authorization in Fisheye & Crucible through ATST Plugin - CVE-2019-15005

Closed

JSWSERVER-20255 Improper Authorization in Jira Server through ATST Plugin - CVE-2019-15005

Closed

Security Metrics Bot added a comment - 12/Sep/2019 8:01 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 12/Sep/2019 8:01 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 12/Sep/2019 8:01 PM

Updated:: 10/Dec/2019 3:24 AM

Resolved:: 12/Sep/2019 10:45 PM

Bitbucket Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[BSERV-11960] Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005

Collapse comment: Security Metrics Bot added a comment - 12/Sep/2019 8:01 PM

Expand comment: Security Metrics Bot added a comment - 12/Sep/2019 8:01 PM

People

Dates

Backbone Issue Sync