[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span><\/p>\n <\/span>Advisory ID<\/strong>: usd-2019-0019<\/span> The logfile analyzer inside the admin menu can be used to enumarate existing file names inside the operating system.<\/span><\/p>\n <\/span><\/p>\n If one specifies a path to a non existing file, the application displays a different error message as if the path would lead to an existing file.<\/span> [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Analysing logfiles should be limited to a specified part of the directory system.<\/span><\/p>\n
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Bitbucket<\/span>
Affected Version<\/strong>: v5.10.1<\/span>
Vulnerability Type<\/strong>: File Enumeration<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.atlassian.com<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
This was tested with the paths \u201e\/etc\/passwd\u201c and \u201e\/non\/existend\u201c.<\/span><\/p>\nFix<\/h3>\n
<\/h3>\n
Timeline<\/h3>\n