CVE-2017-16857

8.5HIGH

Key Information:

Vendor: Atlassian
Status: Auto-unapprove Plugin (for Bitbucket Server)
Vendor: CVE Published:; 5 December 2017

Summary

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

Affected Version(s)

Auto-Unapprove Plugin (for Bitbucket Server) All versions prior to version 3.0.1

References

https://jira.atlassian.com/browse/BSERV-10439

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 5, 2017
Vulnerability Reserved
Nov 16, 2017