Critical Vulnerability inBitbucket Server & Data Center

Which products are affected?

  • Bitbucket Server and Bitbucket Data Center

You can find Atlassian’s official communication at the following link: Vulnerability Note 15 January 2020.

You can also follow the progress of the incidence at the following link: Vulnerability incidence 15 January 2020.

  • Remote Code Execution (RCE) via certain user input fields – CVE-2019-15010

It is a vulnerability that allows a remote attacker with user permissions to execute arbitrary commands on the Bitbucket Sever instance or Data center. This vulnerability has been present since Server and Data Center versions 3.0.0 on Bitbucket due to remote code execution that could be carried out through certain user input fields (fields).

  • Remote Code Execution (RCE) via post-receive hook – CVE-2019-20097

It is a vulnerability that allows a remote attacker to execute arbitrary commands on the system using a file with specific content when it has permissions to clone and push files to the repository of the victim’s Bitbucket Server or Data center instance.

  • Remote Code Execution (RCE) via edit-file request – CVE-2019-15012

It is a vulnerability exploited via the edit-file request. A remote attacker with write permissions to the repository can write to any file in the victim’s Bitbucket Server or Data Center instance using the edit-file endpoint.

In some cases, this vulnerability can result in arbitrary code execution from the victim’s Bitbucket instance.

Customers who are under any of the following versions:

  • All versions < 5.16.11. For example 3.0.0, 4.13.1, etc.
  • 6.0.X <= version < 6.0.11. For example 6.0.1, etc.
  • 6.1.X <= version < 6.1.9. For example 6.1.3, etc.
  • 6.2.X <= version < 6.2.7. For example 6.2.2, etc.
  • 6.3.X <= version < 6.3.6. For example 6.3.4, etc.
  • 6.4.X <= version < 6.4.4. For example 6.4.1, etc.
  • 6.5.X <= version < 6.5.3. For example 6.5.1, etc.
  • 6.6.X <= version < 6.6.3. For example 6.6.2, etc.
  • 6.7.X <= version < 6.7.3. For example 6.7.1, etc.
  • 6.8.X <= version < 6.8.2. For example 6.8.0, etc.
  • 6.9.X <= version < 6.9.1. For example 6.9.0, etc.

Some specific versions contain a fix that blocks this vulnerability. If you have any of the following versions, your installation will NOT be affected:

  • Version 5.16.11
  • Version 6.0.11
  • Version 6.1.9
  • Version 6.2.7
  • Version 6.3.6
  • Version 6.4.4
  • Version 6.5.3
  • Version 6.6.3
  • Version 6.7.3
  • Version 6.8.2
  • Version 6.9.1

If affected by this vulnerability, Atlassian lays out some ways to mitigate it:

Atlassian’s recommended response to permanently mitigate this vulnerability is to update (Official Download Center) the product to the latest version (6.9.1).

If it is not possible to update immediately, as a temporary solution for the CVE-2019-15012 vulnerability, the edit-file function should be disabled by entering bitbucket.properties and assigning feature.file.editor=false. To find more information regarding this solution you can follow the following link.

With respect to the CVE-2019-15010 and CVE-2019-20097 vulnerabilities, there is no workaround yet and it is very important that you update to one of the secure versions as soon as possible.

More information can be found in the Mitigation section of this Atlassian white paper.

Related posts

AWS Managed4
30 January, 2025

DeepSeek

DeepSeek is revolutionizing AI, but its open access poses challenges in cybersecurity. Learn how Ite
Región AWS en México3
14 January, 2025

AWS Region in Mexico: the cloud is now tricolor

The cloud is now tricolor! Learn how the new AWS Region in Mexico will revolutionize digital transfo
AWS re_Invent 2024_3
19 December, 2024

AWS re:Invent 2024: A Look at the Innovations Shaping the Future

Itera brings you closer to the major updates and releases of AWS re:Invent 2024, from generative AI

Topics

Atlassian Bitbucket Data Center Jira Bitbucket Vulnerability

Ready to take full control of your cloud investment?

Contact us

Success stories

Casos de éxito
We strengthened their educational model with a more secure and highly available digital platform.

Success stories

Casos de éxito
We implemented comprehensive solutions that optimized requirements management, adding value to their vessels and technology transfers.
We implemented a comprehensive solution that standardized the implementation of services and minimized the provision of the workstation.