PT-2018-16816 · Atlassian · Bitbucket Server+1

Matt Hart

Published

2018-03-22

Updated

2018-04-20

CVE-2018-5225

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Atlassian Bitbucket Server versions 4.13.0 through 5.4.7 Atlassian Bitbucket Server versions 5.5.0 through 5.5.7 Atlassian Bitbucket Server versions 5.6.0 through 5.6.4 Atlassian Bitbucket Server versions 5.7.0 through 5.7.2 Atlassian Bitbucket Server versions 5.8.0 through 5.8.1

Description The issue allows authenticated users to gain remote code execution using the in-browser editing feature via editing a symbolic link within a repository.

Recommendations For versions 4.13.0 through 5.4.7, update to version 5.4.8 or later. For versions 5.5.0 through 5.5.7, update to version 5.5.8 or later. For versions 5.6.0 through 5.6.4, update to version 5.6.5 or later. For versions 5.7.0 through 5.7.2, update to version 5.7.3 or later. For versions 5.8.0 through 5.8.1, update to version 5.8.2 or later.

Fix

RCE

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2018-5225

Affected Products

Bitbucket Server

Bitbucket

PT-2018-16816 · Atlassian · Bitbucket Server+1

CVE-2018-5225

Weakness Enumeration

Related Identifiers

Affected Products

References · 6