CVE-2019-15010

Summary

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.

Affected Software

VendorProductVersion RangeStatus
AtlassianBitbucket Server3.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 5.16.11affected
AtlassianBitbucket Server6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.0.11affected
AtlassianBitbucket Server6.1.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.1.9affected
AtlassianBitbucket Server6.2.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.2.7affected
AtlassianBitbucket Server6.3.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.3.6affected
AtlassianBitbucket Server6.4.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.4.4affected
AtlassianBitbucket Server6.5.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.5.3affected
AtlassianBitbucket Server6.6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.6.3affected
AtlassianBitbucket Server6.7.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.7.3affected
AtlassianBitbucket Server6.8.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.8.2affected
AtlassianBitbucket Server6.9.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.9.1affected
AtlassianBitbucket Data Center3.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 5.16.11affected
AtlassianBitbucket Data Center6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.0.11affected
AtlassianBitbucket Data Center6.1.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.1.9affected
AtlassianBitbucket Data Center6.2.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.2.7affected
AtlassianBitbucket Data Center6.3.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.3.6affected
AtlassianBitbucket Data Center6.4.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.4.4affected
AtlassianBitbucket Data Center6.5.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.5.3affected
AtlassianBitbucket Data Center6.6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.6.3affected
AtlassianBitbucket Data Center6.7.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.7.3affected
AtlassianBitbucket Data Center6.8.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.8.2affected
AtlassianBitbucket Data Center6.9.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.9.1affected

Weaknesses

  • Expression Language Injection

ADP Enrichment

CVE Program Container

Additional References

References