Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 4.8.0
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

An anonymous user can gain read-only access to some administrative pages by crafting a malicious GET request. This vulnerability was originally detected in Spring Security (CVE-5006).

Customers who have downloaded and installed Bitbucket Server (formerly Stash) >= 2.4.2 less than 4.8.x
Please upgrade your Bitbucket Server (formerly Stash) installations to fix this vulnerability.

A known fix for this problem is detailed below:

<!-- JSR-303 (bean validations) support will be detected on classpath and enabled automatically -->
    <mvc:annotation-driven validator="validator">
        <mvc:message-converters>
            <bean class="org.springframework.http.converter.BufferedImageHttpMessageConverter"/>
        </mvc:message-converters>
        <mvc:path-matching suffix-pattern="false"  path-matcher="pathMatcher"  />
    </mvc:annotation-driven>
    <bean id="pathMatcher" class="org.springframework.util.AntPathMatcher">
	    <property name="trimTokens" value="false" />
    </bean>

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

relates to: SCT-3394 Loading...

(1 relates to)

Activity

People

Assignee:: Matt Hart (Inactive)

Reporter:: Matt Hart (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 19/Jan/2017 3:16 AM

Updated:: 14/Nov/2019 12:03 AM

Resolved:: 19/Jan/2017 3:17 AM