Low There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center version 7.0.
Affected versions:
- 7.0.0 ≤ version < 7.6.19
- 7.7.0 ≤ version < 7.17.12
- 7.18.0 ≤ version < 7.21.6
- 7.22.0 ≤ version < 8.0.5
- 8.1.0 ≤ version < 8.1.5
- 8.2.0 ≤ version < 8.2.4
- 8.3.0 ≤ version < 8.3.3
- 8.4.0 ≤ version < 8.4.2
Fixed versions:
- 7.6.19 or newer
- 7.17.12 or newer
- 7.21.6 or newer
- 8.0.5 or newer
- 8.1.5 or newer
- 8.2.4 or newer
- 8.3.3 or newer
- 8.4.2 or newer
- 8.5.0 or newer
For full descriptions of the above versions of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.
For additional details, see the full advisory: https://confluence.atlassian.com/x/Y4hXRg
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 9.0 => Critical severity
Exploitability Metrics
Scope Metric
Impact Metrics
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H