Urgent: Critical Vulnerability Found in Bitbucket Products

On Wednesday September 18, 2019, Atlassian announced a critical “argument injection vulnerability.” In certain cases, this vulnerability allows a remote user an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously. Atlassian views this as a critical vulnerability, requiring immediate attention.

What you need to know…

  • Versions affected:
    • 5.16.9 and earlier
    • 6.0.0 -6.0.9
    • 6.1.0 – 6.1.7
    • 6.2.0 – 6.2.5
    • 6.3.0 – 6.3.4
    • 6.4.0 – 6.4.2
    • 6.5.0 – 6.5.1
  • Versions already fixed
    • 5.16.10
    • 6.0.10
    • 6.1.8
    • 6.2.6
    • 6.3.5
    • 6.4.3
    • 6.5.2
    • 6.6.0 and later
  • Location and description of vulnerability: This vulnerability allows an attacker with access to a Git repository in Bitbucket Server or Data Center to inject additional strings in to a commit, making it possible to execute commands on the server operating system. If the repository is anonymous, the attacker need not log in to Bitbucket Server or Data Center.
  • Recommended action: Upgrade to a non-vulnerable version as soon as possible.
  • Short-term workaround: None available. Please upgrade. If you are running a version earlier than 4.0.0, Atlassian has released a hotfix that you can install.

Need help with this?

Give us a call. As an Atlassian Platinum Solution Partner, we’re here to help you keep all your Atlassian products running smoothly.

References:

Atlassian Article
CVE Article