Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12099

Remote Code Execution (RCE) via Argument Injection

    XMLWordPrintable

    Details

      Description

      Issue Summary

      Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

      Affected versions:

      The versions of Bitbucket Server affected by this vulnerability are:

      • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
      • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
      • from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
      • from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
      • from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
      • from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
      • from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
      • from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
      • from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
      • from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
      • from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

      Workaround

      Currently there is no known workaround.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              sraj2@atlassian.com Sparsh Raj
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: