CVE-2017-18088

15.02.2018, 13:29

Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.6 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.6 (the fixed version for 5.5.x), from version 5.6.0 before 5.6.3 (the fixed version for 5.6.x), from version 5.7.0 before 5.7.1 (the fixed version for 5.7.x) and before 5.8.0 allow remote attackers to conduct clickjacking attacks via framing various resources that lacked clickjacking protection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
atlassian	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 43%

Vendor	Product	Version
atlassian	bitbucket	5.3.0 ≤ 𝑥 < 5.3.7
atlassian	bitbucket	5.4.0 ≤ 𝑥 < 5.4.6
atlassian	bitbucket	5.5.0 ≤ 𝑥 < 5.5.6
atlassian	bitbucket	5.6.0 ≤ 𝑥 < 5.6.3
atlassian	bitbucket	5.7.0 ≤ 𝑥 < 5.7.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

http://www.securityfocus.com/bid/103040

https://jira.atlassian.com/browse/BSERV-10594

http://www.securityfocus.com/bid/103040

https://jira.atlassian.com/browse/BSERV-10594