=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN346

_____________________________________________________________________

DATE                : 26/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Bitbucket Data Center and Server
        versions prior to 8.9.5, 8.10.5, 8.11.4, 8.12.2, 8.13.1, 8.14.0.

=====================================================================
https://jira.atlassian.com/browse/BSERV-14419
_____________________________________________________________________

RCE (Remote Code Execution) in Bitbucket Data Center and Server

Details

     Type:          Public Security Vulnerability
     Resolution:    Fixed
     Priority:      High
     Fix Version/s: 8.14.0, 8.13.1, 8.9.5, 8.10.5, 8.11.4, 8.12.2
     Affects Version/s:  8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0,
                         8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0,
                         8.12.0, 8.13.0
     Component/s:   None
     Labels:  advisory advisory-to-release dont-import security 🔢✅
     CVSS Score:    8.5
     CVSS Severity: High
     CVE ID:        CVE-2023-22513
     Vulnerability Source:  Bug Bounty
     Credit:        a private user
     CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
     Vulnerability Classes: RCE (Remote Code Execution)	
     Affected Product(s):   Bitbucket Data Center, Bitbucket Server
	

Description

This High severity RCE (Remote Code Execution) vulnerability was
introduced in version 8.0.0 of Bitbucket Data Center and Server.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score
of 8.5, allows an authenticated attacker to execute arbitrary code
which has high impact to confidentiality, high impact to integrity,
high impact to availability, and requires no user interaction.

Atlassian recommends that Bitbucket Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:
     Bitbucket Data Center and Server 8.9: Upgrade to a release
greater than or equal to 8.9.5
     Bitbucket Data Center and Server 8.10: Upgrade to a release
greater than or equal to 8.10.5
     Bitbucket Data Center and Server 8.11: Upgrade to a release
greater than or equal to 8.11.4
     Bitbucket Data Center and Server 8.12: Upgrade to a release
greater than or equal to 8.12.2
     Bitbucket Data Center and Server 8.13: Upgrade to a release
greater than or equal to 8.13.1
     Bitbucket Data Center and Server 8.14: Upgrade to a release
greater than or equal to 8.14.0
     Bitbucket Data Center and Server version >= 8.0 and < 8.9:
Upgrade to any of the listed fix versions.

Versions before 8.0.0 (e.g., 7.x series) are unaffected by this
vulnerability.


See the release notes
(https://confluence.atlassian.com/bitbucketserver/release-notes).

You can download the latest version of Bitbucket Data Center and
Server from the download center
(https://www.atlassian.com/software/bitbucket/download-archives).

This vulnerability was discovered by a private user and reported
via our Bug Bounty program


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================