CVE-2018-5225

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.

Published: Mar 22, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-5225
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-59

Affected Software
References

Software	From	Fixed in
atlassian / bitbucket	5.8.0	5.8.2
atlassian / bitbucket	4.13.0	5.4.8
atlassian / bitbucket	5.5.0.x	5.5.8
atlassian / bitbucket	5.6.0	5.6.5
atlassian / bitbucket	5.7.0	5.7.3

http://www.securityfocus.com/bid/103488
https://confluence.atlassian.com/x/3WNsO
https://jira.atlassian.com/browse/BSERV-10684

Vulnerability Database

289,784

CVE-2018-5225