Atlassian Bitbucket Data Center vulnerabilities

CVE-2024-30172 [HIGH] CVE-2024-30172: 8.19.0 to 8.19.2 (LTS) 8.18.0 to 8.18.1 8.17.0 to 8.17.2 8.16.0 to 8.16.4 8.15.0 to 8.15.5 8.14.0 to 8.14.6 8.13.0 to 8. CVE-2024-30172: 8.19.0 to 8.19.2 (LTS) 8.18.0 to 8.18.1 8.17.0 to 8.17.2 8.16.0 to 8.16.4 8.15.0 to 8.15.5 8.14.0 to 8.14.6 8.13.0 to 8. 8.19.0 to 8.19.2 (LTS) 8.18.0 to 8.18.1 8.17.0 to 8.17.2 8.16.0 to 8.16.4 8.15.0 to 8.15.5 8.14.0 to 8.14.6 8.13.0 to 8.13.6 8.12.0 to 8.12.6 8.11.0 to 8.11.6 8.10.0 to 8.10.6 8.9.0 to 8.9.13 (LTS) 8.8.0

CVE-2024-24549 [HIGH] CVE-2024-24549: DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server CVE-2024-24549: DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server CVE: CVE-2024-24549 Affected products: Bitbucket Data Center

CVE-2024-21684 [MEDIUM] CWE-601 CVE-2024-21684: There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Cente There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2. This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R

CVE-2024-21634 [HIGH] CVE-2024-21634: 8.18.0 8.17.0 to 8.17.1 8.16 .0 to 8.16.2 8.15 .0 to 8.15.3 8.14 .0 to 8.14.4 8.13 .0 to 8.13.5 8.12 .0 to 8.12.3 8.11 . CVE-2024-21634: 8.18.0 8.17.0 to 8.17.1 8.16 .0 to 8.16.2 8.15 .0 to 8.15.3 8.14 .0 to 8.14.4 8.13 .0 to 8.13.5 8.12 .0 to 8.12.3 8.11 . 8.18.0 8.17.0 to 8.17.1 8.16 .0 to 8.16.2 8.15 .0 to 8.15.3 8.14 .0 to 8.14.4 8.13 .0 to 8.13.5 8.12 .0 to 8.12.3 8.11 .0 to 8.11.1 8.10 .0 to 8.10.1 8.9.0 to 8.9.9 (LTS) Any earlier versions (except 7.2

CVE-2023-6481 [HIGH] CVE-2023-6481: DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server CVE-2023-6481: DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server CVE: CVE-2023-6481 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-6378 [HIGH] CVE-2023-6378: DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server CVE-2023-6378: DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server DoS (Denial of Service) ch.qos.logback:logback-core Dependency in Bitbucket Data Center and Server CVE: CVE-2023-6378 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-34455 [HIGH] CVE-2023-34455: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE-2023-34455: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE: CVE-2023-34455 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-5072 [HIGH] CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server CVE-2023-5072: DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server CVE: CVE-2023-5072 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-34453 [MEDIUM] CVE-2023-34453: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE-2023-34453: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE: CVE-2023-34453 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-34454 [MEDIUM] CVE-2023-34454: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE-2023-34454: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE: CVE-2023-34454 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-43642 [HIGH] CVE-2023-43642: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE-2023-43642: DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server CVE: CVE-2023-43642 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-36478 [HIGH] CVE-2023-36478: DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server CVE-2023-36478: DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server CVE: CVE-2023-36478 Severity: HIGH Affected products: Bitbucket Data Center

CVE-2023-3635 [MEDIUM] CVE-2023-3635: From 7.17.x to 7.21.17 From 8.7.x to 8.9.6 From 8.10.x to 8.11.5 From 8.12.x to 8.12.3 From 8.13.x to 8.13.2 From 8.14.x CVE-2023-3635: From 7.17.x to 7.21.17 From 8.7.x to 8.9.6 From 8.10.x to 8.11.5 From 8.12.x to 8.12.3 From 8.13.x to 8.13.2 From 8.14.x From 7.17.x to 7.21.17 From 8.7.x to 8.9.6 From 8.10.x to 8.11.5 From 8.12.x to 8.12.3 From 8.13.x to 8.13.2 From 8.14.x to 8.14.1 CVE: CVE-2023-3635 Severity: HIGH Affected products: Bitbucket Data Cent

CVE-2023-22513 [HIGH] CWE-94 CVE-2023-22513: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitb This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availabi

CVE-2022-43781 [CRITICAL] CWE-77 CVE-2022-43781: There is a command injection vulnerability using environment variables in Bitbucket Server and Data There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CVE-2022-36804 [HIGH] CWE-78 CVE-2022-36804: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, fr Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows

CVE-2022-26136 [CRITICAL] CWE-180 CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass S A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released update

CVE-2022-26137 [HIGH] CWE-180 CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause ad A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a speci

CVE-2022-26133 [CRITICAL] CWE-502 CVE-2022-26133: SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

CVE-2020-36233 [HIGH] CWE-276 CVE-2020-36233: The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9 The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.