Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12098

Remote Code Execution (RCE) via certain user input fields

    XMLWordPrintable

    Details

      Description

      Issue Summary

      Bitbucket Server versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server instance.

      Affected versions:
      The versions of Bitbucket Server affected by this vulnerability are:

      • from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
      • from version 6.0.x before 6.0.11 (the fixed version for 6.0.x), 
      • from version 6.1.x before 6.1.9 (the fixed version for 6.0.x), 
      • from version 6.2.x before 6.2.7 (the fixed version for 6.0.x), 
      • from version 6.3.x before 6.3.6 (the fixed version for 6.0.x), 
      • from version 6.4.x before 6.4.4 (the fixed version for 6.0.x), 
      • from version 6.5.x before 6.5.3 (the fixed version for 6.0.x), 
      • from version 6.6.x before 6.6.3 (the fixed version for 6.0.x), 
      • from version 6.7.x before 6.7.3 (the fixed version for 6.0.x), 
      • from version 6.8.x before 6.8.2 (the fixed version for 6.0.x)
      • from version 6.9.x before 6.9.1 (the fixed version for 6.0.x)

      Workaround

      Currently there is no known workaround.
       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              sraj2@atlassian.com Sparsh Raj
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: