CVE-2018-5225

9.9CRITICAL

Key Information:

Vendor
Atlassian
Status
Bitbucket Server
Vendor
CVE Published:
22 March 2018

Summary

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.

Affected Version(s)

Bitbucket Server 4.13.0

Bitbucket Server < 5.4.8

Bitbucket Server 5.5.0

References

https://jira.atlassian.com/browse/BSERV-10684
x_refsource_CONFIRM
http://www.securityfocus.com/bid/103488
vdb-entryx_refsource_BID
https://confluence.atlassian.com/x/3WNsO
x_refsource_CONFIRM

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.