Atlassian Bitbucket Data Center up to 8.19.5 redirect

Summaryinfo

A vulnerability was found in Atlassian Bitbucket Data Center up to 8.19.5. It has been classified as problematic. The impacted element is an unknown function. This manipulation causes redirect. The identification of this vulnerability is CVE-2024-21684. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in Atlassian Bitbucket Data Center up to 8.19.5 and classified as problematic. Affected by this vulnerability is an unknown code block. The manipulation with an unknown input leads to a redirect vulnerability. The CWE definition for the vulnerability is CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. As an impact it is known to affect integrity. The summary by CVE is:

There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2. This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions.

The advisory is shared at jira.atlassian.com. This vulnerability is known as CVE-2024-21684 since 01/01/2024. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1204.001 for this issue.

Upgrading to version 8.9.17 or 8.19.6 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• Atlassian

Name

• Bitbucket Data Center

Version

• 8.0.0
• 8.0.1
• 8.0.2
• 8.0.3
• 8.0.4
• 8.0.5
• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4
• 8.1.5
• 8.2.0
• 8.2.1
• 8.2.2
• 8.2.3
• 8.2.4
• 8.3.0
• 8.3.1
• 8.3.2
• 8.3.3
• 8.3.4
• 8.4.0
• 8.4.1
• 8.4.2
• 8.4.3
• 8.4.4
• 8.5.0
• 8.5.1
• 8.5.2
• 8.5.3
• 8.5.4
• 8.6.0
• 8.6.1
• 8.6.2
• 8.6.3
• 8.6.4
• 8.7.0
• 8.7.1
• 8.7.2
• 8.7.3
• 8.7.4
• 8.7.5
• 8.8.0
• 8.8.1
• 8.8.2
• 8.8.3
• 8.8.4
• 8.8.5
• 8.8.6
• 8.8.7
• 8.9.0
• 8.9.1
• 8.9.2
• 8.9.3
• 8.9.4
• 8.9.5
• 8.9.6
• 8.9.7
• 8.9.8
• 8.9.9
• 8.9.10
• 8.9.11
• 8.9.12
• 8.9.13
• 8.9.14
• 8.9.15
• 8.9.16
• 8.19.0
• 8.19.1
• 8.19.2
• 8.19.3
• 8.19.4
• 8.19.5

License

• free

Website

• Vendor: https://www.atlassian.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion