Atlassian Bitbucket Server vulnerabilities

CVE-2023-22513 [HIGH] CWE-94 CVE-2023-22513: This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitb This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availabi

CVE-2022-43781 [CRITICAL] CWE-77 CVE-2022-43781: There is a command injection vulnerability using environment variables in Bitbucket Server and Data There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CVE-2022-36804 [HIGH] CWE-78 CVE-2022-36804: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, fr Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows

CVE-2022-26136 [CRITICAL] CWE-180 CVE-2022-26136: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass S A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released update

CVE-2022-26137 [HIGH] CWE-180 CVE-2022-26137: A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause ad A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a speci

CVE-2020-36233 [HIGH] CWE-276 CVE-2020-36233: The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9 The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.

CVE-2020-14171 [MEDIUM] CWE-319 CVE-2020-14171: Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to interc Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack.

CVE-2020-14170 [MEDIUM] CWE-918 CVE-2020-14170: Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attacker Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability.

CVE-2019-20097 [HIGH] CVE-2019-20097: Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from ver

CVE-2019-15012 [HIGH] CWE-269 CVE-2019-15012: Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 bef Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from versi

CVE-2019-15010 [HIGH] CWE-77 CVE-2019-15010: Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16. Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0

CVE-2019-15005 [MEDIUM] CWE-862 CVE-2019-15005: The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivilege The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulne

CVE-2019-15000 [CRITICAL] CWE-78 CVE-2019-15000: The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 befor

CVE-2018-5225 [CRITICAL] CWE-59 CVE-2018-5225: In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated

CVE-2017-18087 [HIGH] CVE-2017-18087: The download commit resource in Atlassian Bitbucket Server from version 5 The download commit resource in Atlassian Bitbucket Server from version 5.1.0 before version 5.1.7, from version 5.2.0 before version 5.2.5, from version 5.3.0 before version 5.3.3 and from version 5.4.0 before version 5.4.1 allows remote attackers to write files to disk potentially allowing them to gain code execution, exploit CVE-2017-1000117 if a vulnerable version of git is in use,

CVE-2017-18036 [MEDIUM] CWE-918 CVE-2017-18036: The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote atta The Github repository importer in Atlassian Bitbucket Server before version 5.3.0 allows remote attackers to determine if a service they could not otherwise reach has open ports via a Server Side Request Forgery (SSRF) vulnerability.

CVE-2017-18038 [MEDIUM] CWE-22 CVE-2017-18038: The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote at The repository settings resource in Atlassian Bitbucket Server before version 5.6.0 allows remote attackers to read the first line of arbitrary files via a path traversal vulnerability through the default branch name.

CVE-2017-18037 [MEDIUM] CWE-22 CVE-2017-18037: The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.

CVE-2017-1000117 [HIGH] CWE-601 CVE-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-