CVE-2019-15000

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICAL

EPSS

11.0%

top 6.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Bitbucket Data Center Atlassian Bitbucket Server Atlassian Bitbucket

Timeline

PublishedSep 19

Latest updateMay 24

Description

The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to acces…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5atlassian/bitbucket_data_centerunspecified — 5.16.10+12

▶CVEListV5atlassian/bitbucket_serverunspecified — 5.16.10+12

▶NVDatlassian/bitbucket5.16.0 — 5.16.10+6

🔴Vulnerability Details

GHSA

GHSA-vh64-mrcj-mr4j: The commit diff rest endpoint in Bitbucket Server and Data Center before 5↗2022-05-24

▶

CVEList

CVE-2019-15000: The commit diff rest endpoint in Bitbucket Server and Data Center before 5↗2019-09-19

▶

📋Vendor Advisories

Chrome

Stable Channel Update for Desktop: CVE-2019-13699↗2019-10-22

▶