CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21684
https://notcve.org/view.php?id=CVE-2024-21684
24 Jul 2024 — There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2. This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for... • https://jira.atlassian.com/browse/BSERV-19454 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 11%CPEs: 10EXPL: 0CVE-2023-22513
https://notcve.org/view.php?id=CVE-2023-22513
19 Sep 2023 — This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to d... • https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 91%CPEs: 8EXPL: 1CVE-2022-43781 – Bitbucket Environment Variable Remote Command Injection
https://notcve.org/view.php?id=CVE-2022-43781
17 Nov 2022 — There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”. Existe una vulnerabilidad de inyección de comandos mediante variables de entorno en Bitbucket Server y Data Center. Un atacante con permiso para controlar su no... • https://packetstorm.news/files/id/171369 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 94%CPEs: 7EXPL: 22CVE-2022-36804 – Atlassian Bitbucket Server and Data Center Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-36804
25 Aug 2022 — Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnera... • https://packetstorm.news/files/id/171453 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26137
https://notcve.org/view.php?id=CVE-2022-26137
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to cause additional Servlet Filters to be invoked when the application processes requests or responses. Atlassian has confirmed and fixed the only known security issue associated with this vulnerability: Cross-origin resource sharing (CORS) bypass. Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into re... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 42EXPL: 0CVE-2022-26136
https://notcve.org/view.php?id=CVE-2022-26136
20 Jul 2022 — A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions ar... • https://jira.atlassian.com/browse/BAM-21795 • CWE-180: Incorrect Behavior Order: Validate Before Canonicalize CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 86%CPEs: 5EXPL: 2CVE-2022-26133
https://notcve.org/view.php?id=CVE-2022-26133
20 Apr 2022 — SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization. SharedSecretClusterAuthenticator en Atlassian Bitbucket Data Center versiones 5.14.0 y posteriores anteriores a 7.6.14, versiones 7.7.0 y posteriores anteriores a 7.17.6, versiones 7.18.0 y posterio... • https://github.com/Pear1y/CVE-2022-26133 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36233
https://notcve.org/view.php?id=CVE-2020-36233
18 Feb 2021 — The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory. El Microsoft Windows Installer para Atlassian Bitbucket Server y Data Center versiones anteriores a 6.10.9, versiones 7.x anteriores a 7.6.4 y desde versión 7.7.0 versiones anteriores a 7.10.1, permite a los atacantes locales escalar privilegios debi... • https://jira.atlassian.com/browse/BSERV-12753 • CWE-276: Incorrect Default Permissions •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14170
https://notcve.org/view.php?id=CVE-2020-14170
09 Jul 2020 — Webhooks in Atlassian Bitbucket Server from version 5.4.0 before version 7.3.1 allow remote attackers to access the content of internal network resources via a Server-Side Request Forgery (SSRF) vulnerability. Webhooks en Atlassian Bitbucket Server desde la versión 5.4.0 anterior a la versión 7.3.1, permiten a atacantes remotos acceder al contenido de los recursos de la red interna mediante una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) • https://jira.atlassian.com/browse/BSERV-12433 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14171
https://notcve.org/view.php?id=CVE-2020-14171
09 Jul 2020 — Atlassian Bitbucket Server from version 4.9.0 before version 7.2.4 allows remote attackers to intercept unencrypted repository import requests via a Man-in-the-Middle (MITM) attack. Atlassian Bitbucket Server desde la versión 4.9.0 anterior a la versión 7.2.4, permite a atacantes remotos interceptar peticiones de importación de repositorios sin cifrar mediante un ataque Man-in-the-Middle (MITM) • https://jira.atlassian.com/browse/BSERV-12434 • CWE-319: Cleartext Transmission of Sensitive Information •