[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<\/span> A server side request forgery (SSRF) vulnerability was discovered in the \u201eWebhooks\u201c section if the repository settings page. An authenticated attacker can set the URL field to internal IP addresses and retrieve data using the \u201eTest connection\u201c feature.<\/span><\/p>\n <\/span><\/p>\n 1. A new webhook is created under \u201eRepositoy settings -> Webhooks\u201c with a URL pointing to an internal IP \/ port combination. URL of the page is <\/span>\/plugins\/servlet\/webhooks\/projects\/PROJECT_NAME\/repos\/REPO_NAME\/<\/em>create<\/em>.In our example we use a URL value of \u201ehttp:\/\/127.0.0.1:22\u201c to connect to the local SSH daemon:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200023_01.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200023_01\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n 2. The attacker uses the \u201eTest Connection\u201c feature. There will be a link titled \u201eView details\u201c. Clicking it reveals the SSH version banner:<\/span><\/p>\n [\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200023_02.png\" title_text=\"usd20200023_02\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200023_03.png\" title_text=\"usd20200023_03\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n The last image shows the Apache MINA SSHD banner on port 15998 that we found running on this instance of Bitbucket Server.<\/p>\n<\/div>\n<\/div>\n<\/div>\n [\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n Consider adding an instance-wide whitelisting feature or deploy a comprehensive filtering of local and internal IP addresses.<\/p>\n<\/div>\n https:\/\/owasp.org\/www-community\/attacks\/Server_Side_Request_Forgery<\/a><\/p>\n This security vulnerability was found by Marcus Nilsson of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2020-0023 (CVE-2020-14170) | Bitbucket Server 7.3 Advisory ID: usd-2020-0023CVE Number: CVE-2020-14170Affected Product: Bitbucket ServerAffected Version: 5.4.0 <= version < 7.3.1Vulnerability Type: Server Side Request ForgerySecurity Risk: MediumVendor URL: https:\/\/www.atlassian.com\/de\/software\/bitbucketVendor Status: Fixed Description A server side request forgery (SSRF) vulnerability was discovered in the \u201eWebhooks\u201c section if the repository settings page. An authenticated attacker can set […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16669","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16669"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16669\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Advisory ID<\/strong>: usd-2020-0023<\/span>
CVE Number<\/strong>: CVE-2020-14170<\/span>
Affected Product<\/strong>: Bitbucket Server<\/span>
Affected Version<\/strong>: 5.4.0 <= version < 7.3.1<\/span>
Vulnerability Type<\/strong>: Server Side Request Forgery<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.atlassian.com\/de\/software\/bitbucket<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n<\/h3>\n
Description<\/h3>\n
Proof of Concept (PoC)<\/h3>\n
Fix<\/h3>\n
<\/h3>\n
References<\/h3>\n
<\/h3>\n
Timeline<\/h3>\n
\n
<\/h3>\n
Credits<\/h3>\n