You can find Atlassian’s official communication at the following link: Vulnerability Note 15 January 2020.
You can also follow the progress of the incidence at the following link: Vulnerability incidence 15 January 2020.
It is a vulnerability that allows a remote attacker with user permissions to execute arbitrary commands on the Bitbucket Sever instance or Data center. This vulnerability has been present since Server and Data Center versions 3.0.0 on Bitbucket due to remote code execution that could be carried out through certain user input fields (fields).
It is a vulnerability that allows a remote attacker to execute arbitrary commands on the system using a file with specific content when it has permissions to clone and push files to the repository of the victim’s Bitbucket Server or Data center instance.
It is a vulnerability exploited via the edit-file request. A remote attacker with write permissions to the repository can write to any file in the victim’s Bitbucket Server or Data Center instance using the edit-file endpoint.
In some cases, this vulnerability can result in arbitrary code execution from the victim’s Bitbucket instance.
Customers who are under any of the following versions:
Some specific versions contain a fix that blocks this vulnerability. If you have any of the following versions, your installation will NOT be affected:
If affected by this vulnerability, Atlassian lays out some ways to mitigate it:
Atlassian’s recommended response to permanently mitigate this vulnerability is to update (Official Download Center) the product to the latest version (6.9.1).
If it is not possible to update immediately, as a temporary solution for the CVE-2019-15012 vulnerability, the edit-file function should be disabled by entering bitbucket.properties and assigning feature.file.editor=false. To find more information regarding this solution you can follow the following link.
With respect to the CVE-2019-15010 and CVE-2019-20097 vulnerabilities, there is no workaround yet and it is very important that you update to one of the secure versions as soon as possible.
More information can be found in the Mitigation section of this Atlassian white paper.
Related posts