Atlassian Bitbucket vulnerabilities

CVE-2022-43781 [CRITICAL] CWE-77 CVE-2022-43781: There is a command injection vulnerability using environment variables in Bitbucket Server and Data There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CVE-2022-36804 [HIGH] CWE-78 CVE-2022-36804: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, fr Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows

CVE-2022-26136 [CRITICAL] CWE-180 CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass S A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released update

CVE-2022-26137 [HIGH] CWE-180 CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause ad A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a speci

CVE-2020-36233 [HIGH] CWE-276 CVE-2020-36233: The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9 The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

CVE-2020-14171 [MEDIUM] CWE-319 CVE-2020-14171: Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to interc Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.

CVE-2020-14170 [MEDIUM] CWE-918 CVE-2020-14170: Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attacker Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.

CVE-2019-15012 [HIGH] CWE-269 CVE-2019-15012: Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 bef Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from versi

CVE-2019-20097 [HIGH] CVE-2019-20097: Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from ver

CVE-2019-15010 [HIGH] CWE-77 CVE-2019-15010: Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16. Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0

CVE-2019-15005 [MEDIUM] CWE-862 CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivilege The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulne

CVE-2019-15000 [CRITICAL] CWE-78 CVE-2019-15000: The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 befor

CVE-2019-3397 [CRITICAL] CWE-22 CVE-2019-3397: Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the f Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.

CVE-2018-5225 [CRITICAL] CWE-59 CVE-2018-5225: In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated

CVE-2017-18087 [HIGH] CVE-2017-18087: The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable

CVE-2017-18088 [MEDIUM] CWE-20 CVE-2017-18088: Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed versi Various plugin servlet resources in Atlassian Bitbucket Server before version 5.3.7 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.6 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.6 (the fixed version for 5.5.x), from version 5.6.0 before 5.6.3 (the fixed version for 5.6.x), from version 5.7.0 before 5.7.1 (the fixed versi

CVE-2017-18036 [MEDIUM] CWE-918 CVE-2017-18036: The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote atta The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability.

CVE-2017-18038 [MEDIUM] CWE-22 CVE-2017-18038: The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote at The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote attackers to read the first line of arbitrary files via a path traversal vulnerability through the default branch name.

CVE-2017-18037 [MEDIUM] CWE-22 CVE-2017-18037: The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.

CVE-2016-4320 [MEDIUM] CWE-22 CVE-2016-4320: Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitra Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.