Critical Vulnerability inBitbucket Server & Data Center

Which products are affected?

• Bitbucket Server and Bitbucket Data Center

You can find Atlassian’s official communication at the following link: Vulnerability Note 15 January 2020.

You can also follow the progress of the incidence at the following link: Vulnerability incidence 15 January 2020.

• Remote Code Execution (RCE) via certain user input fields – CVE-2019-15010

It is a vulnerability that allows a remote attacker with user permissions to execute arbitrary commands on the Bitbucket Sever instance or Data center. This vulnerability has been present since Server and Data Center versions 3.0.0 on Bitbucket due to remote code execution that could be carried out through certain user input fields (fields).

• Remote Code Execution (RCE) via post-receive hook – CVE-2019-20097

It is a vulnerability that allows a remote attacker to execute arbitrary commands on the system using a file with specific content when it has permissions to clone and push files to the repository of the victim’s Bitbucket Server or Data center instance.

• Remote Code Execution (RCE) via edit-file request – CVE-2019-15012

It is a vulnerability exploited via the edit-file request. A remote attacker with write permissions to the repository can write to any file in the victim’s Bitbucket Server or Data Center instance using the edit-file endpoint.

In some cases, this vulnerability can result in arbitrary code execution from the victim’s Bitbucket instance.

Customers who are under any of the following versions:

• All versions < 5.16.11. For example 3.0.0, 4.13.1, etc.
• 6.0.X <= version < 6.0.11. For example 6.0.1, etc.
• 6.1.X <= version < 6.1.9. For example 6.1.3, etc.
• 6.2.X <= version < 6.2.7. For example 6.2.2, etc.
• 6.3.X <= version < 6.3.6. For example 6.3.4, etc.
• 6.4.X <= version < 6.4.4. For example 6.4.1, etc.
• 6.5.X <= version < 6.5.3. For example 6.5.1, etc.
• 6.6.X <= version < 6.6.3. For example 6.6.2, etc.
• 6.7.X <= version < 6.7.3. For example 6.7.1, etc.
• 6.8.X <= version < 6.8.2. For example 6.8.0, etc.
• 6.9.X <= version < 6.9.1. For example 6.9.0, etc.

Some specific versions contain a fix that blocks this vulnerability. If you have any of the following versions, your installation will NOT be affected:

• Version 5.16.11
• Version 6.0.11
• Version 6.1.9
• Version 6.2.7
• Version 6.3.6
• Version 6.4.4
• Version 6.5.3
• Version 6.6.3
• Version 6.7.3
• Version 6.8.2
• Version 6.9.1

If affected by this vulnerability, Atlassian lays out some ways to mitigate it:

Atlassian’s recommended response to permanently mitigate this vulnerability is to update (Official Download Center) the product to the latest version (6.9.1).

If it is not possible to update immediately, as a temporary solution for the CVE-2019-15012 vulnerability, the edit-file function should be disabled by entering bitbucket.properties and assigning feature.file.editor=false. To find more information regarding this solution you can follow the following link.

With respect to the CVE-2019-15010 and CVE-2019-20097 vulnerabilities, there is no workaround yet and it is very important that you update to one of the secure versions as soon as possible.

More information can be found in the Mitigation section of this Atlassian white paper.