[BSERV-12433] SSRF in Webhooks - CVE-2020-14170 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 5.4.0
Fix Version/s: 7.3.1
Component/s: Webhooks
Labels:
- CVE-2020-14170
- advisory
- advisory-released
- cvss-medium
- dob-pr
- security
- ssrf

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Affected versions of Atlassian Bitbucket Server allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability in Webhooks.

When running in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.

Affected versions:

5.4.0 <= version < 7.3.1

Fixed versions:

7.3.1

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Due:: 22/Sep/2020

Created:: 23/Jun/2020 4:27 PM

Updated:: 08/Jul/2020 4:36 PM

Resolved:: 30/Jun/2020 5:44 PM

Backbone Issue Sync

Backbone Issue Sync is enabled for your project, but there is no synchronization info for this issue.