CVE-2017-18037

6.5MEDIUM

Key Information:

Vendor: Atlassian
Status: Bitbucket Server
Vendor: CVE Published:; 2 February 2018

Summary

The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag.

Affected Version(s)

Bitbucket Server from 3.7.0 prior to 4.14.11

Bitbucket Server from 5.0.0 prior to 5.0.9

Bitbucket Server from 5.1.0 prior to 5.1.8

References

https://jira.atlassian.com/browse/BSERV-10595

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 2, 2018
Vulnerability Reserved
Jan 17, 2018