First published: Thu Feb 02 2017(Updated: )
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Bitbucket | >=3.7.0<4.14.11 | |
Atlassian Bitbucket | >=5.0.0<5.0.9 | |
Atlassian Bitbucket | >=5.1.0<5.1.8 | |
Atlassian Bitbucket | >=5.2.0<5.2.6 | |
Atlassian Bitbucket | >=5.3.0<5.3.4 | |
Atlassian Bitbucket | >=5.4.0<5.4.2 | |
Atlassian Bitbucket | =5.5.0 | |
Atlassian Bitbucket | =5.5.2 | |
Atlassian Bitbucket | =5.5.3 | |
Atlassian Bitbucket | =5.5.4 | |
Atlassian Bitbucket | =5.5.5 | |
Atlassian Bitbucket | =5.5.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2017-18037.
Atlassian Bitbucket Server versions 3.7.0 to 5.5.6 are affected by this vulnerability.
The severity score of this vulnerability is 6.5 (Medium).
To fix this vulnerability, update Atlassian Bitbucket Server to version 4.14.11 (for 4.14.x), 5.0.9 (for 5.0.x), 5.1.8 (for 5.1.x), or 5.2.6 (for 5.2.x).
More information about this vulnerability can be found on the Atlassian website at the following link: [https://jira.atlassian.com/browse/BSERV-10595](https://jira.atlassian.com/browse/BSERV-10595)