usd-2019-0018 | Bitbucket/v5.10.1

Advisory ID: usd-2019-0018
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: User Enumeration
Security Risk: Low
Vendor URL: https://www.atlassian.com
Vendor Status: Not fixed

Description

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. The malicious actor is looking for differences in the server’s response based on the validity of submitted credentials.

Proof of Concept (PoC)

Unprivileged users are able to enumerate valid usernames. Hereto, an user sends a request to „/admin/permissions/users“ with following request

GET-Parameter “?permission=LICENSED_USER&name=”.

If the username exists, the server responds with an error message that the user has unsufficient rights for this process.
If the username does not exists, the server responds with a message that the user does not exists.

Fix

Even if the user doesn’t exists, the server should respond with an error message which points out that the user doesn’t have sufficient rights to execute the process.

Timeline

  • 2019-03-28 Vulnerability securily submitted to security@atlassian.com
  • 2019-04-11 Second contact attempt via contact formular
  • 2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
  • 2019-07-31 Security advisory released

Credits

This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.