CVE Vulnerabilities

CVE-2019-20097

Published: Jan 15, 2020 | Modified: Aug 24, 2020
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Bitbucket Server and Bitbucket Data Center versions starting from 1.0.0 before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the post-receive hook. A remote attacker with permission to clone and push files to a repository on the victims Bitbucket Server or Bitbucket Data Center instance, can exploit this vulnerability to execute arbitrary commands on the Bitbucket Server or Bitbucket Data Center systems, using a file with specially crafted content.

Affected Software

Name Vendor Start Version End Version
Bitbucket Atlassian 1.0.0 (including) 5.6.11 (excluding)
Bitbucket Atlassian 6.0.0 (including) 6.0.11 (excluding)
Bitbucket Atlassian 6.1.0 (including) 6.1.9 (excluding)
Bitbucket Atlassian 6.2.0 (including) 6.2.7 (excluding)
Bitbucket Atlassian 6.3.0 (including) 6.3.6 (excluding)
Bitbucket Atlassian 6.4.0 (including) 6.4.4 (excluding)
Bitbucket Atlassian 6.5.0 (including) 6.5.3 (excluding)
Bitbucket Atlassian 6.6.0 (including) 6.6.3 (excluding)
Bitbucket Atlassian 6.7.0 (including) 6.7.3 (excluding)
Bitbucket Atlassian 6.8.0 (including) 6.8.2 (excluding)
Bitbucket Atlassian 6.9.0 (including) 6.9.1 (excluding)

References