CVE-2017-16857

Summary

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

Affected Software

VendorProductVersion RangeStatus
AtlassianAuto-Unapprove Plugin (for Bitbucket Server)All versions prior to version 3.0.1affected

Weaknesses

  • Brute Force Attack

ADP Enrichment

CVE Program Container

Additional References

References