Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Atlassian Bitbucket Server 4.x < 4.7.1 Directory Traversal

Medium

Synopsis

The remote Bitbucket server is affected by an Dierctory Traversal attack vector.

Description

Versions of Bitbucket 4.x prior to 4.7.1 contain a flaw that allows traversing outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') when handling user repository pull requests. With a specially crafted request, an authenticated remote attacker can read the first line of arbitrary files.

Solution

Upgrade to Bitbucket version 4.7.1 or later.