usd-2019-0019 | Bitbucket/v5.10.1

Advisory ID: usd-2019-0019
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: File Enumeration
Security Risk: Low
Vendor URL:
Vendor Status: Not fixed


The logfile analyzer inside the admin menu can be used to enumarate existing file names inside the operating system.

Proof of Concept (PoC)

If one specifies a path to a non existing file, the application displays a different error message as if the path would lead to an existing file.
This was tested with the paths „/etc/passwd“ and „/non/existend“.


Analysing logfiles should be limited to a specified part of the directory system.


  • 2019-03-28 Vulnerability securily submitted to
  • 2019-04-11 Second contact attempt via contact formular
  • 2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
  • 2019-07-31 Security advisory released


This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.