Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 8.7.5, 8.8.6, 8.9.3, 8.10.3
Affects Version/s: 8.7.0, 8.8.0, 8.9.0, 8.10.0
Component/s: Security - Other
Labels:

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Problem

All Bitbucket versions, excluding 8.11.x, use Spring Security 5.7.7 or older, leading to Security scans listing Bitbucket as vulnerable to CVE-2023-20862.

Environment

Any Bitbucket older than version 8.11.0

Steps to Reproduce

Check what spring-security is installed in the system by running a find command:

find .  -name spring-security*

Expected Results

find .  -name spring-security*
./atlassian-bitbucket-8.11.0/app/WEB-INF/lib/spring-security-web-5.7.8.jar
./atlassian-bitbucket-8.11.0/app/WEB-INF/lib/spring-security-config-5.7.8.jar
./atlassian-bitbucket-8.11.0/app/WEB-INF/lib/spring-security-crypto-5.7.8.jar
./atlassian-bitbucket-8.11.0/app/WEB-INF/lib/spring-security-core-5.7.8.jar

Actual Results

find .  -name spring-security*
./atlassian-bitbucket-8.7.4/app/WEB-INF/lib/spring-security-core-5.7.5.jar
./atlassian-bitbucket-8.7.4/app/WEB-INF/lib/spring-security-crypto-5.7.5.jar
./atlassian-bitbucket-8.7.4/app/WEB-INF/lib/spring-security-config-5.7.5.jar
./atlassian-bitbucket-8.7.4/app/WEB-INF/lib/spring-security-web-5.7.5.jar
./atlassian-bitbucket-8.8.5/app/WEB-INF/lib/spring-security-core-5.7.5.jar
./atlassian-bitbucket-8.8.5/app/WEB-INF/lib/spring-security-crypto-5.7.5.jar
./atlassian-bitbucket-8.8.5/app/WEB-INF/lib/spring-security-config-5.7.5.jar
./atlassian-bitbucket-8.8.5/app/WEB-INF/lib/spring-security-web-5.7.5.jar
./atlassian-bitbucket-8.9.2/app/WEB-INF/lib/spring-security-core-5.7.5.jar
./atlassian-bitbucket-8.9.2/app/WEB-INF/lib/spring-security-crypto-5.7.5.jar
./atlassian-bitbucket-8.9.2/app/WEB-INF/lib/spring-security-config-5.7.5.jar
./atlassian-bitbucket-8.9.2/app/WEB-INF/lib/spring-security-web-5.7.5.jar
./atlassian-bitbucket-8.10.2/app/WEB-INF/lib/spring-security-crypto-5.7.7.jar
./atlassian-bitbucket-8.10.2/app/WEB-INF/lib/spring-security-core-5.7.7.jar
./atlassian-bitbucket-8.10.2/app/WEB-INF/lib/spring-security-config-5.7.7.jar
./atlassian-bitbucket-8.10.2/app/WEB-INF/lib/spring-security-web-5.7.7.jar

Workaround

The only workaround available would be to upgrade Bitbucket to version 8.11.x

Notes

Attachments

Activity

People

Assignee:: Christopher Kochovski

Reporter:: Ulisses Azevedo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Jun/2023 7:25 PM

Updated:: 11/Jul/2023 8:19 PM

Resolved:: 04/Jul/2023 1:22 AM