CVE-2019-15012

Summary

Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.

Affected Software

VendorProductVersion RangeStatus
AtlassianBitbucket Server4.13 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 5.16.11affected
AtlassianBitbucket Server6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.0.11affected
AtlassianBitbucket Server6.1.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.1.9affected
AtlassianBitbucket Server6.2.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.2.7affected
AtlassianBitbucket Server6.3.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.3.6affected
AtlassianBitbucket Server6.4.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.4.4affected
AtlassianBitbucket Server6.5.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.5.3affected
AtlassianBitbucket Server6.6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.6.3affected
AtlassianBitbucket Server6.7.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.7.3affected
AtlassianBitbucket Server6.8.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.8.2affected
AtlassianBitbucket Server6.9.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.9.1affected
AtlassianBitbucket Data Center4.13 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 5.16.11affected
AtlassianBitbucket Data Center6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.0.11affected
AtlassianBitbucket Data Center6.1.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.1.9affected
AtlassianBitbucket Data Center6.2.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.2.7affected
AtlassianBitbucket Data Center6.3.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.3.6affected
AtlassianBitbucket Data Center6.4.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.4.4affected
AtlassianBitbucket Data Center6.5.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.5.3affected
AtlassianBitbucket Data Center6.6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.6.3affected
AtlassianBitbucket Data Center6.7.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.7.3affected
AtlassianBitbucket Data Center6.8.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.8.2affected
AtlassianBitbucket Data Center6.9.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.9.1affected

Weaknesses

  • Path traversal

ADP Enrichment

CVE Program Container

Additional References

References