CVE-2019-20097

Summary

Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim's Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.

Affected Software

VendorProductVersion RangeStatus
AtlassianBitbucket Server1.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 5.16.11affected
AtlassianBitbucket Server6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.0.11affected
AtlassianBitbucket Server6.1.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.1.9affected
AtlassianBitbucket Server6.2.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.2.7affected
AtlassianBitbucket Server6.3.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.3.6affected
AtlassianBitbucket Server6.4.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.4.4affected
AtlassianBitbucket Server6.5.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.5.3affected
AtlassianBitbucket Server6.6.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.6.3affected
AtlassianBitbucket Server6.7.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.7.3affected
AtlassianBitbucket Server6.8.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.8.2affected
AtlassianBitbucket Server6.9.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 6.9.1affected
AtlassianBitbucket Data Center1.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 5.16.11affected
AtlassianBitbucket Data Center6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.0.11affected
AtlassianBitbucket Data Center6.1.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.1.9affected
AtlassianBitbucket Data Center6.2.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.2.7affected
AtlassianBitbucket Data Center6.3.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.3.6affected
AtlassianBitbucket Data Center6.4.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.4.4affected
AtlassianBitbucket Data Center6.5.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.5.3affected
AtlassianBitbucket Data Center6.6.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.6.3affected
AtlassianBitbucket Data Center6.7.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.7.3affected
AtlassianBitbucket Data Center6.8.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.8.2affected
AtlassianBitbucket Data Center6.9.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 6.9.1affected

Weaknesses

  • Argument Injection

ADP Enrichment

CVE Program Container

Additional References

References