First published: Thu Mar 22 2018(Updated: )
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Bitbucket | >=4.13.0<5.4.8 | |
Atlassian Bitbucket | >5.5.0<5.5.8 | |
Atlassian Bitbucket | >=5.6.0<5.6.5 | |
Atlassian Bitbucket | >=5.7.0<5.7.3 | |
Atlassian Bitbucket | >=5.8.0<5.8.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-5225 is a vulnerability in Atlassian Bitbucket Server that allows for unauthorized in-browser editing.
CVE-2018-5225 has a severity level of critical with a CVSS score of 9.9.
CVE-2018-5225 affects Atlassian Bitbucket Server versions 4.13.0 through 5.4.7, 5.5.0 through 5.5.8, 5.6.0 through 5.6.5, 5.7.0 through 5.7.3, and 5.8.0 through 5.8.2.
To fix the CVE-2018-5225 vulnerability, users should update their Atlassian Bitbucket Server to version 5.4.8 or later, 5.5.9 or later, 5.6.6 or later, 5.7.4 or later, or 5.8.3 or later.
For more information about CVE-2018-5225, you can refer to the following resources: [SecurityFocus](http://www.securityfocus.com/bid/103488), [Atlassian Confluence](https://confluence.atlassian.com/x/3WNsO), [Atlassian JIRA](https://jira.atlassian.com/browse/BSERV-10684).