usd-2019-0019 | Bitbucket/v5.10.1

Advisory ID: usd-2019-0019
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: File Enumeration
Security Risk: Low
Vendor URL: https://www.atlassian.com
Vendor Status: Not fixed

Description

The logfile analyzer inside the admin menu can be used to enumarate existing file names inside the operating system.

Proof of Concept (PoC)

If one specifies a path to a non existing file, the application displays a different error message as if the path would lead to an existing file.
This was tested with the paths „/etc/passwd“ and „/non/existend“.

Fix

Analysing logfiles should be limited to a specified part of the directory system.

Timeline

  • 2019-03-28 Vulnerability securily submitted to security@atlassian.com
  • 2019-04-11 Second contact attempt via contact formular
  • 2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
  • 2019-07-31 Security advisory released

Credits

This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.