A Vulnerability has been discovered in Atlassian Bitbucket Server and Data Center which could allow for remote code execution. Bitbucket is a Git-based source code repository hosting service owned by Atlassian.
Successful exploitation could allow the attacker to execute remote code in context of the application. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.
Versions before 7.19.x will not receive fixes because they are not in LTS. Available fixes are listed below:
|Supported Version||Bug Fix Release|
|Bitbucket Server and Data Center 7.6||7.6.17 (LTS) or newer|
|Bitbucket Server and Data Center 7.17||7.17.10 (LTS) or newer|
|Bitbucket Server and Data Center 7.21||7.21.4 (LTS) or newer|
|Bitbucket Server and Data Center 8.0||8.0.3 or newer|
|Bitbucket Server and Data Center 8.1||8.1.3 or newer|
|Bitbucket Server and Data Center 8.2||8.2.2 or newer|
|Bitbucket Server and Data Center 8.3||8.3.1 or newer|
How to Mitigate?
It is advised to apply for bug fix releases as soon as possible. If you are unable to implement updates, disabling public repositories by setting feature.public.access=false is a temporary solution that is available.
Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.