Meelogic Atlassian Blog

Bitbucket Server Security Advisory System Advisory 2020-01-15

Summary of Vulnerability

This advisory discloses critical severity security vulnerabilities in the Bitbucket Server and Data Center versions listed above (“Affected Bitbucket Server and Data Center Versions”).

  • Customers who have downloaded and installed any of the Bitbucket Server and Data Center versions listed above (“Affected Bitbucket Server and Data Center Versions”) are affected.
  • Please upgrade your Bitbucket Server and Data Center installations immediately to fix this vulnerability.
  • Customers using Bitbucket Cloud are not affected.
  • Bitbucket Smart Mirrors are not affected.
  • Customers who have upgraded Bitbucket Server and Data Center to versions 5.16.11, 6.0.11, 6.1.9, 6.2.7, 6.3.6, 6.4.4, 6.5.3, 6.6.3, 6.7.3, 6.8.2, 6.9.1 or higher are not affected.

Remote Code Execution (RCE) via certain user input fields – CVE-2019-15010

Severity

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions starting from 3.0.0 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim’s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim’s Bitbucket server or Data Center instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 3.x.x before 5.16.11 (the fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

Remote Code Execution (RCE) via post-receive hook – CVE-2019-20097

Severity

Atlassian has given this vulnerability critical rating. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions starting from 1.0.0 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victim’s Bitbucket Server or Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Data Center systems, using a file with specially crafted content.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

Remote Code Execution (RCE) via edit-file request – CVE-2019-15012

Severity

Atlassian has given this vulnerability critical CVSS score. This rating was given according to the Atlassian security levels, which rank vulnerabilities as critical, high, moderate, or low severity.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

Bitbucket Server and Data Center versions >= 4.13 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victim’s Bitbucket Server or Data Center instance using the edit-file endpoint, if the user Bitbucket Server or Data Center is running as has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victim’s Bitbucket Server instance.

The versions of Bitbucket Server and Data Center affected by this vulnerability are:

  • from version 4.13.x before 5.16.11 (fixed version for 5.16.x),
  • from version 6.0.x before 6.0.11 (fixed version for 6.0.x),
  • from version 6.1.x before 6.1.9 (fixed version for 6.1.x),
  • from version 6.2.x before 6.2.7 (fixed version for 6.2.x),
  • from version 6.3.x before 6.3.6 (fixed version for 6.3.x),
  • from version 6.4.x before 6.4.4 (fixed version for 6.4.x),
  • from version 6.5.x before 6.5.3 (fixed version for 6.5.x),
  • from version 6.6.x before 6.6.3 (fixed version for 6.6.x),
  • from version 6.7.x before 6.7.3 (fixed version for 6.7.x),
  • from version 6.8.x before 6.8.2 (fixed version for 6.8.x)
  • from version 6.9.x before 6.9.1 (fixed version for 6.9.x)

Fix

To address these issues, we have released Bitbucket Server and Data Center version:

  • 5.16.11 that contains a fix for these issues.
  • 6.0.11 that contains a fix for these issues.
  • 6.1.9 that contains a fix for these issues.
  • 6.2.7 that contains a fix for these issues.
  • 6.3.6 that contains a fix for these issues.
  • 6.4.4 that contains a fix for these issues.
  • 6.5.3 that contains a fix for these issues.
  • 6.6.3 that contains a fix for these issues.
  • 6.7.3 that contains a fix for these issues.
  • 6.8.2 that contains a fix for these issues.
  • 6.9.1 that contains a fix for these issues.

These versions can be downloaded at https://www.atlassian.com/software/bitbucket/download-archives, with the latest version at https://www.atlassian.com/software/bitbucket/download.

What You Need to Do

Atlassian recommends you upgrade to the latest version (6.9.1). For a complete description of the latest version of Bitbucket Server and Data Center, see the Release Notes. You can download the latest version of Bitbucket Server and Data Center from the Atlassian website.

If you can’t upgrade to the latest version (6.9.1):

1.x.x, 2.x.x, 3.x.x, 4.x.x or 5.x.x 5.16.11
6.0.x 6.0.11
6.1.x 6.1.9
6.2.x 6.2.7
6.3.x 6.3.6
6.4.x 6.4.4
6.5.x 6.5.3
6.6.x 6.6.3
6.7.x 6.7.3
6.8.x 6.8.2