Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12099

Remote Code Execution (RCE) via Argument Injection

XMLWordPrintable

      Issue Summary

      Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

      Affected versions:

      The versions of Bitbucket Server affected by this vulnerability are:

      • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
      • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
      • from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
      • from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
      • from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
      • from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
      • from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
      • from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
      • from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
      • from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
      • from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

      Workaround

      Currently there is no known workaround.

            Unassigned Unassigned
            sraj2@atlassian.com FNU
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: