[BSERV-12433] SSRF in Webhooks - CVE-2020-14170 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: None
Affects Version/s: 5.4.0, 8.14.0
Component/s: Webhooks
Labels:

Support reference count:
2
Symptom Severity:
Severity 2 - Major
UIS:
2
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Bitbucket Data Center allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in Webhooks.

When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.

mentioned in: Page Failed to load

Andrei Khudavets added a comment - 30/Jun/2020 5:16 AM

ntangirala@atlassian.com, the original issue (BSERV-12372) has been fixed. What should we do with this sanitized copy?

Andrei Khudavets added a comment - 30/Jun/2020 5:16 AM ntangirala@atlassian.com , the original issue (BSERV-12372) has been fixed. What should we do with this sanitized copy?

Security Metrics Bot added a comment - 23/Jun/2020 4:27 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 23/Jun/2020 4:27 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Assignee:: Dyon Georgopoulos

Reporter:: Security Metrics Bot

Affected customers:: 1 This affects my team

Watchers:: 8 Start watching this issue

Created:: 23/Jun/2020 4:27 PM

Updated:: 30/Apr/2024 1:27 AM

Resolved:: 30/Apr/2024 12:03 AM

Bitbucket Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[BSERV-12433] SSRF in Webhooks - CVE-2020-14170

Collapse comment: Andrei Khudavets added a comment - 30/Jun/2020 5:16 AM

Expand comment: Andrei Khudavets added a comment - 30/Jun/2020 5:16 AM

Collapse comment: Security Metrics Bot added a comment - 23/Jun/2020 4:27 PM

Expand comment: Security Metrics Bot added a comment - 23/Jun/2020 4:27 PM

People

Dates

Backbone Issue Sync