CVE-2019-3397

Published Jun 3, 2019

Last updated 5 years ago

Overview

Description: Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool.
Source: security@atlassian.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.0

Type: Primary
Base score: 9.1
Impact score: 6
Exploitability score: 2.3
Vector string: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 9
Impact score: 10
Exploitability score: 8
Vector string: AV:N/AC:L/Au:S/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-22

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A6215D87-F4E1-445C-B201-89F411229CA4",
            "versionEndExcluding": "5.13.6",
            "versionStartIncluding": "5.13.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6EFC24FA-DFFB-45B6-8F63-3AFDE1CC5464",
            "versionEndExcluding": "5.14.4",
            "versionStartIncluding": "5.14.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6FD74B56-390D-48CB-93BB-0452869D58D7",
            "versionEndExcluding": "5.15.3",
            "versionStartIncluding": "5.15.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0F6EA7D6-40E5-4F3D-B5C4-16DB7AB421A6",
            "versionEndExcluding": "5.16.3",
            "versionStartIncluding": "5.16.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1D61084D-DA80-4EAD-AABA-DD94F9A69475",
            "versionEndExcluding": "6.0.3",
            "versionStartIncluding": "6.0.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E69F799-F16F-4C25-AE84-5D73CBEAD71D",
            "versionEndExcluding": "6.1.2",
            "versionStartIncluding": "6.1.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Configurations

References