Remote Code Execution (RCE) via certain user input fields

Issue Summary

Bitbucket Server versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket server instance.

Affected versions:
The versions of Bitbucket Server affected by this vulnerability are:

• from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
• from version 6.0.x before 6.0.11 (the fixed version for 6.0.x), 
• from version 6.1.x before 6.1.9 (the fixed version for 6.0.x), 
• from version 6.2.x before 6.2.7 (the fixed version for 6.0.x), 
• from version 6.3.x before 6.3.6 (the fixed version for 6.0.x), 
• from version 6.4.x before 6.4.4 (the fixed version for 6.0.x), 
• from version 6.5.x before 6.5.3 (the fixed version for 6.0.x), 
• from version 6.6.x before 6.6.3 (the fixed version for 6.0.x), 
• from version 6.7.x before 6.7.3 (the fixed version for 6.0.x), 
• from version 6.8.x before 6.8.2 (the fixed version for 6.0.x)
• from version 6.9.x before 6.9.1 (the fixed version for 6.0.x)

Workaround

Currently there is no known workaround.