Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12100

Remote Code Execution (RCE) via in Browser Editing

    XMLWordPrintable

    Details

      Description

      Issue Summary

      Bitbucket Server versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file on the filesystem that is accessible to the user running Bitbucket Server, using the edit-file endpoint. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.

      Affected versions:
      The versions of Bitbucket Server affected by this vulnerability are:

      • from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
      • from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
      • from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
      • from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
      • from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
      • from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
      • from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
      • from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
      • from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
      • from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
      • from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

      Workaround

      The edit-file feature can be disabled by following the steps below:

      • In bitbucket.properties, set feature.file.editor=false
      • Restart the Bitbucket Server instance

      For more information, see: https://confluence.atlassian.com/bitbucketserver/bitbucket-server-config-properties-776640155.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              sraj2@atlassian.com FNU
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: