Atlassian Bitbucket Server up to 5.5.0 git Repository Tag Rest path traversal

Summaryinfo

A vulnerability classified as critical has been found in Atlassian Bitbucket Server up to 5.5.0. This affects an unknown part of the component git Repository Tag Rest Handler. This manipulation causes path traversal. This vulnerability is handled as CVE-2017-18037. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Atlassian Bitbucket Server up to 5.5.0. It has been declared as critical. Affected by this vulnerability is some unknown processing of the component git Repository Tag Rest Handler. The manipulation with an unknown input leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality. The summary by CVE is:

The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag.

The bug was discovered 01/17/2018. The weakness was released 02/02/2018 (Website). The advisory is shared at jira.atlassian.com. This vulnerability is known as CVE-2017-18037 since 01/17/2018. The exploitation appears to be easy. The attack can be launched remotely. Required for exploitation is a single authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 16 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 4.14.11, 5.0.9, 5.1.8, 5.2.6, 5.3.4, 5.4.2, 5.5.1 or 5.6.0 eliminates this vulnerability.

Entries connected to this vulnerability are available at VDB-112742 and VDB-112740. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Atlassian

Name

• Bitbucket Server

Version

• 4.14.0
• 4.14.1
• 4.14.2
• 4.14.3
• 4.14.4
• 4.14.5
• 4.14.6
• 4.14.7
• 4.14.8
• 4.14.9
• 4.14.10
• 5.0
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.0.7
• 5.0.8
• 5.1
• 5.1.0
• 5.1.1
• 5.1.2
• 5.1.3
• 5.1.4
• 5.1.5
• 5.1.6
• 5.1.7
• 5.2
• 5.2.0
• 5.2.1
• 5.2.2
• 5.2.3
• 5.2.4
• 5.2.5
• 5.3
• 5.3.0
• 5.3.1
• 5.3.2
• 5.3.3
• 5.4
• 5.4.0
• 5.4.1
• 5.5.0

License

• free

Website

• Vendor: https://www.atlassian.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion