[BSERV-12753] Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 7.6.4, 7.10.1, 6.10.9
Affects Version/s: 6.10.0, 7.8.0
Component/s: Security - Other
Labels:

Symptom Severity:
Severity 1 - Critical
CVSS Score:
7.8
CVE ID:
CVE-2020-36233
Vulnerability Classes:

PrivEsc (Priviledge Escalation)

Issue Summary

Atlassian Bitbucket on Windows fails to properly set ACLs on its installation directory. Because Bitbucket installs High-privileged services, this allows for multiple privilege escalation vulnerability possibilities.

Affected Versions

The following versions are only affected on Windows:

All versions < 6.10.9
7.x < 7.6.4
7.7.x
7.8.x
7.9.x
7.10.0

Fixed Versions

6.10.9 (Long Term Support release)
7.6.4 (Long Term Support release)
7.10.1

relates to: VULN-229700 Failed to load

Brian Adeloye (Inactive) added a comment - 16/Feb/2021 7:51 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.8 => High severity

Exploitability Metrics

Attack Vector	Local
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Brian Adeloye (Inactive) added a comment - 16/Feb/2021 7:51 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.8 => High severity Exploitability Metrics Attack Vector Local Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: Christopher Kochovski

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 16/Feb/2021 12:44 AM

Updated:: 21/Nov/2023 6:35 AM

Resolved:: 16/Feb/2021 12:44 AM

Bitbucket Data Center

Details

Description

Issue Summary

Affected Versions

Fixed Versions

Attachments

Issue Links

Forms

Activity

[BSERV-12753] Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233

Collapse comment: Brian Adeloye (Inactive) added a comment - 16/Feb/2021 7:51 PM

Expand comment: Brian Adeloye (Inactive) added a comment - 16/Feb/2021 7:51 PM

People

Dates

Backbone Issue Sync