CVE-2019-15010

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.

Published: Jan 15, 2020
Updated: Apr 13, 2023
CVE: CVE-2019-15010
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
atlassian / bitbucket	6.2.0	6.2.7
atlassian / bitbucket	6.1.0	6.1.9
atlassian / bitbucket	6.0.0	6.0.11
atlassian / bitbucket	6.9.0	6.9.1
atlassian / bitbucket	6.8.0	6.8.2
atlassian / bitbucket	6.7.0	6.7.3
atlassian / bitbucket	6.6.0	6.6.3
atlassian / bitbucket	6.5.0	6.5.3
atlassian / bitbucket	6.4.0	6.4.4
atlassian / bitbucket	6.3.0	6.3.6
atlassian / bitbucket	3.0.0	5.6.11

https://jira.atlassian.com/browse/BSERV-12098

Vulnerability Database

289,784

CVE-2019-15010