Details
High Description
Issue Summary
Bitbucket Server versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file on the filesystem that is accessible to the user running Bitbucket Server, using the edit-file endpoint. In some cases, this can result in execution of arbitrary code by the victim's Bitbucket Server instance.
Affected versions:
The versions of Bitbucket Server affected by this vulnerability are:
- from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
- from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
- from version 6.1.x before 6.1.9 (fixed version for 6.0.x),
- from version 6.2.x before 6.2.7 (fixed version for 6.0.x),
- from version 6.3.x before 6.3.6 (fixed version for 6.0.x),
- from version 6.4.x before 6.4.4 (fixed version for 6.0.x),
- from version 6.5.x before 6.5.3 (fixed version for 6.0.x),
- from version 6.6.x before 6.6.3 (fixed version for 6.0.x),
- from version 6.7.x before 6.7.3 (fixed version for 6.0.x),
- from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
- from version 6.9.x before 6.9.1 (fixed version for 6.0.x)
Workaround
The edit-file feature can be disabled by following the steps below:
- In bitbucket.properties, set feature.file.editor=false
- Restart the Bitbucket Server instance
For more information, see: https://confluence.atlassian.com/bitbucketserver/bitbucket-server-config-properties-776640155.html