CVE-2017-18087

7.5HIGH

Key Information:

Vendor: Atlassian
Status: Bitbucket Server
Vendor: CVE Published:; 15 February 2018

Summary

The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use, and or determine if an internal service exists via an argument injection vulnerability in the at parameter.

Affected Version(s)

Bitbucket Server from 5.1.0 prior to 5.1.7

Bitbucket Server from 5.2.0 prior to 5.2.5

Bitbucket Server from 5.3.0 prior to 5.3.3

References

http://www.securityfocus.com/bid/103038

vdb-entryx_refsource_BID

https://jira.atlassian.com/browse/BSERV-10593

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2018
Vulnerability Reserved
Feb 1, 2018