CVE-2017-18088

EUVD-2017-9225

15.02.2018, 13:29

Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.6 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.6 (the fixed version for 5.5.x), from version 5.6.0 before 5.6.3 (the fixed version for 5.6.x), from version 5.7.0 before 5.7.1 (the fixed version for 5.7.x) and before 5.8.0 allow remote attackers to conduct clickjacking attacks via framing various resources that lacked clickjacking protection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Affected Products (NVD)

Vendor	Product	Version
atlassian	bitbucket	5.3.0 ≤ 𝑥 < 5.3.7
atlassian	bitbucket	5.4.0 ≤ 𝑥 < 5.4.6
atlassian	bitbucket	5.5.0 ≤ 𝑥 < 5.5.6
atlassian	bitbucket	5.6.0 ≤ 𝑥 < 5.6.3
atlassian	bitbucket	5.7.0 ≤ 𝑥 < 5.7.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://www.securityfocus.com/bid/103040

https://jira.atlassian.com/browse/BSERV-10594

http://www.securityfocus.com/bid/103040

https://jira.atlassian.com/browse/BSERV-10594