GSD-2019-15010
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-15010",
"description": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance.",
"id": "GSD-2019-15010"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-15010"
],
"details": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance.",
"id": "GSD-2019-15010",
"modified": "2023-12-13T01:23:38.327886Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-01-15T10:00:00",
"ID": "CVE-2019-15010",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Server",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
},
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.16.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.11"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.9"
},
{
"version_affected": "\u003e=",
"version_value": "6.2.0"
},
{
"version_affected": "\u003c",
"version_value": "6.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "6.3.0"
},
{
"version_affected": "\u003c",
"version_value": "6.3.6"
},
{
"version_affected": "\u003e=",
"version_value": "6.4.0"
},
{
"version_affected": "\u003c",
"version_value": "6.4.4"
},
{
"version_affected": "\u003e=",
"version_value": "6.5.0"
},
{
"version_affected": "\u003c",
"version_value": "6.5.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.6.0"
},
{
"version_affected": "\u003c",
"version_value": "6.6.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.7.0"
},
{
"version_affected": "\u003c",
"version_value": "6.7.3"
},
{
"version_affected": "\u003e=",
"version_value": "6.8.0"
},
{
"version_affected": "\u003c",
"version_value": "6.8.2"
},
{
"version_affected": "\u003e=",
"version_value": "6.9.0"
},
{
"version_affected": "\u003c",
"version_value": "6.9.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Expression Language Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12098",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.6.11",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.11",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.2.7",
"versionStartIncluding": "6.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.3.6",
"versionStartIncluding": "6.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.4.4",
"versionStartIncluding": "6.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.5.3",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.6.3",
"versionStartIncluding": "6.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.7.3",
"versionStartIncluding": "6.7.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.8.2",
"versionStartIncluding": "6.8.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.9.1",
"versionStartIncluding": "6.9.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"ID": "CVE-2019-15010"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim\u0027s systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim\u0027s Bitbucket Server or Bitbucket Data Center instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-12098",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.atlassian.com/browse/BSERV-12098"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2020-08-24T17:37Z",
"publishedDate": "2020-01-15T21:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…