Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13175

Vulnerability in LESS Transformer Plugin used by Bitbucket

    XMLWordPrintable

Details

    Description

      Issue Summary

      As of Bitbucket 7.21 the LESS Transformer Plugin shipped is version 4.0.0. Unfortunately it has a dependency on commons-codec version 1.4 which has a number of security vulnerabilities.

      eg.commons-codec:commons-codec / 1.4
      Apache Commons Codec org.apache.commons.codec.language.Soundex.US_ENGLISH_MAPPING Missing MS_PKGPROTECT Field Manipulation

      Version 4.0.2 of the plugin uses commons-codec 1.15.

      This bug is to update the version of the LESS Transformer Plugin shipped with Bitbucket

      Steps to Reproduce

      1. jar -tvf /opt/atlassian/bitbucket/app/WEB-INF/atlassian-bundled-plugins/less-transformer-plugin-4.0.0.jar 2>/dev/null | grep commons-codec
        58160 Tue Dec 11 00:24:14 UTC 2018 META-INF/lib/commons-codec-1.4.jar

      Expected Results

      Ship with commons-codec-1.15.jar

      Actual Results

      N/A

      Workaround

      None available at this time.

      Attachments

        Activity

          People

            74d6667aa35c Josh Aguilar
            cberry@atlassian.com Chris Berry
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: