CVE-2019-15010

EUVD-2019-6097

15.01.2020, 21:15

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 83%

Affected Products (NVD)

Vendor	Product	Version
atlassian	bitbucket	3.0.0 ≤ 𝑥 < 5.6.11
atlassian	bitbucket	6.0.0 ≤ 𝑥 < 6.0.11
atlassian	bitbucket	6.1.0 ≤ 𝑥 < 6.1.9
atlassian	bitbucket	6.2.0 ≤ 𝑥 < 6.2.7
atlassian	bitbucket	6.3.0 ≤ 𝑥 < 6.3.6
atlassian	bitbucket	6.4.0 ≤ 𝑥 < 6.4.4
atlassian	bitbucket	6.5.0 ≤ 𝑥 < 6.5.3
atlassian	bitbucket	6.6.0 ≤ 𝑥 < 6.6.3
atlassian	bitbucket	6.7.0 ≤ 𝑥 < 6.7.3
atlassian	bitbucket	6.8.0 ≤ 𝑥 < 6.8.2
atlassian	bitbucket	6.9.0 ≤ 𝑥 < 6.9.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://jira.atlassian.com/browse/BSERV-12098