Issue Summary

Bitbucket Server versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file on the filesystem that is accessible to the user running Bitbucket Server, using the edit-file endpoint. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.

Affected versions:
The versions of Bitbucket Server affected by this vulnerability are:

• from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
• from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
• from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
• from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
• from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
• from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
• from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
• from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
• from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
• from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
• from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

Workaround

The edit-file feature can be disabled by following the steps below:

• In bitbucket.properties, set feature.file.editor=false
• Restart the Bitbucket Server instance

For more information, see: https://confluence.atlassian.com/bitbucketserver/bitbucket-server-config-properties-776640155.html