CVE-2019-15010 Information

Description

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11 from version 6.0.0 before 6.0.11 from version 6.1.0 before 6.1.9 from version 6.2.0 before 6.2.7 from version 6.3.0 before 6.3.6 from version 6.4.0 before 6.4.4 from version 6.5.0 before 6.5.3 from version 6.6.0 before 6.6.3 from version 6.7.0 before 6.7.3 from version 6.8.0 before 6.8.2 and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim’s systems. Using a specially crafted payload as user input the attacker can execute arbitrary commands on the victim’s Bitbucket Server or Bitbucket Data Center instance.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://jira.atlassian.com/browse/BSERV-12098

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8