-
Bug
-
Resolution: Fixed
-
Low
-
None
-
None
-
Severity 2 - Major
-
An anonymous user can gain read-only access to some administrative pages by crafting a malicious GET request. This vulnerability was originally detected in Spring Security (CVE-5006).
Customers who have downloaded and installed Bitbucket Server (formerly Stash) >= 2.4.2 less than 4.8.x
Please upgrade your Bitbucket Server (formerly Stash) installations to fix this vulnerability.
A known fix for this problem is detailed below:
<!-- JSR-303 (bean validations) support will be detected on classpath and enabled automatically --> <mvc:annotation-driven validator="validator"> <mvc:message-converters> <bean class="org.springframework.http.converter.BufferedImageHttpMessageConverter"/> </mvc:message-converters> <mvc:path-matching suffix-pattern="false" path-matcher="pathMatcher" /> </mvc:annotation-driven> <bean id="pathMatcher" class="org.springframework.util.AntPathMatcher"> <property name="trimTokens" value="false" /> </bean>