First published: Thu Feb 15 2018(Updated: )
The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Bitbucket | >=5.1.0<5.1.7 | |
Atlassian Bitbucket | >=5.2.0<5.2.5 | |
Atlassian Bitbucket | >=5.3.0<5.3.3 | |
Atlassian Bitbucket | >5.4.0<5.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2017-18087.
The severity of CVE-2017-18087 is high with a severity value of 7.5.
Atlassian Bitbucket Server versions 5.1.0 to 5.1.7, 5.2.0 to 5.2.5, 5.3.0 to 5.3.3, and 5.4.0 to 5.4.1 are affected by CVE-2017-18087.
CVE-2017-18087 allows remote attackers to write files to disk potentially allowing them to compromise the system.
To fix CVE-2017-18087, upgrade Atlassian Bitbucket Server to a version beyond the affected range.