First published: Wed Jan 15 2020(Updated: )
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Bitbucket | >=3.0.0<5.6.11 | |
Atlassian Bitbucket | >=6.0.0<6.0.11 | |
Atlassian Bitbucket | >=6.1.0<6.1.9 | |
Atlassian Bitbucket | >=6.2.0<6.2.7 | |
Atlassian Bitbucket | >=6.3.0<6.3.6 | |
Atlassian Bitbucket | >=6.4.0<6.4.4 | |
Atlassian Bitbucket | >=6.5.0<6.5.3 | |
Atlassian Bitbucket | >=6.6.0<6.6.3 | |
Atlassian Bitbucket | >=6.7.0<6.7.3 | |
Atlassian Bitbucket | >=6.8.0<6.8.2 | |
Atlassian Bitbucket | >=6.9.0<6.9.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-15010 is a vulnerability in Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1.
CVE-2019-15010 has a severity rating of 8.8 (high).
CVE-2019-15010 affects Bitbucket Server and Bitbucket Data Center versions mentioned previously, and can be exploited by an attacker to gain unauthorized access to sensitive information or execute arbitrary code.
To check if your Bitbucket Server or Bitbucket Data Center version is affected, refer to the Atlassian Bitbucket release notes and compare the version number with the vulnerable versions mentioned in the vulnerability description.
To mitigate the CVE-2019-15010 vulnerability, it is recommended to upgrade your Bitbucket Server or Bitbucket Data Center to a patched version that is not vulnerable to the exploit. Refer to the Atlassian Bitbucket security advisory and follow the recommended upgrade process.