Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12099

Remote Code Execution (RCE) via Argument Injection

XMLWordPrintable

      Issue Summary

      Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

      Affected versions:

      The versions of Bitbucket Server affected by this vulnerability are:

      • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
      • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
      • from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
      • from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
      • from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
      • from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
      • from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
      • from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
      • from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
      • from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
      • from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

      Workaround

      Currently there is no known workaround.

          Form Name

            [BSERV-12099] Remote Code Execution (RCE) via Argument Injection

            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 847571 ]
            Eric Franklin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 845998 ]
            set-jac-bot made changes -
            Fixed in Enterprise Release/s New: [Download 6.10|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]
            Said made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 471235 ]
            Said made changes -
            Labels New: injection rce
            Nishchala Tangirala (Inactive) made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Archana Menon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 466449 ]
            Archana Menon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 466561 ]
            Brian Adeloye (Inactive) made changes -
            Security New: Atlassian Staff [ 10750 ]
            Clement made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 466415 ]

              Unassigned Unassigned
              sraj2@atlassian.com FNU
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: