Strix
26.1K

CVE-2019-15012

HIGHCVSS 8.8/10EPSS 1.60%

Last modified

CVE-2019-15012 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. EPSS estimates a 1.60% chance of exploitation in the next 30 days.

Description

Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
1.60%

72.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AtlassianBitbucket>= 4.13.0, < 5.6.11
AtlassianBitbucket>= 6.0.0, < 6.0.11
AtlassianBitbucket>= 6.1.0, < 6.1.9
AtlassianBitbucket>= 6.2.0, < 6.2.7
AtlassianBitbucket>= 6.3.0, < 6.3.6
AtlassianBitbucket>= 6.4.0, < 6.4.4
AtlassianBitbucket>= 6.5.0, < 6.5.3
AtlassianBitbucket>= 6.6.0, < 6.6.3
AtlassianBitbucket>= 6.7.0, < 6.7.3
AtlassianBitbucket>= 6.8.0, < 6.8.2
AtlassianBitbucket>= 6.9.0, < 6.9.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-15012?
Bitbucket Server and Bitbucket Data Center from version 4.13. before 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via the edit-file request. A remote attacker with write permission on a repository can write to any arbitrary file to the victims Bitbucket Server or Bitbucket Data Center instance using the edit-file endpoint, if the user has Bitbucket Server or Bitbucket Data Center running, and has the permission to write the file at that destination. In some cases, this can result in execution of arbitrary code by the victims Bitbucket Server or Bitbucket Data Center instance.
How severe is CVE-2019-15012?
CVE-2019-15012 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.60% probability of exploitation in the next 30 days.
How do I fix CVE-2019-15012?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-15012?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST