usd-2019-0020 | Bitbucket/v5.10.1
Advisory ID: usd-2019-0020
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: Sensitive Data in URL
Security Risk: Low
Vendor URL: https://www.atlassian.com
Vendor Status: Not fixed
Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks or steal clear text data of the server while in transit or from the user’s client e.g. browser. A manual attack is generally required.
Proof of Concept
If an user changes his profile picture, the CSRF token is transfered inside the URL. The CSRF token does not change after that and is valid for the whole session.
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Send the CSRF token as POST parameter.
- 2019-03-28 Vulnerability securily submitted to firstname.lastname@example.org
- 2019-04-11 Second contact attempt via contact formular
- 2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
- 2019-07-31 Security advisory released
This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.