{"id":16671,"date":"2021-07-07T16:36:33","date_gmt":"2021-07-07T14:36:33","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2020-0024\/"},"modified":"2021-07-19T14:15:00","modified_gmt":"2021-07-19T12:15:00","slug":"usd-2020-0024","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0024\/","title":{"rendered":"usd-2020-0024"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2020-0024 (CVE-2020-14171) | Bitbucket Server 7.2.3<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0024<\/span>
CVE Number<\/strong>: CVE-2020-14171<\/span>
Affected Product<\/strong>: Bitbucket Server<\/span>
Affected Version<\/strong>: 4.9.0 <= version < 7.2.4<\/span>
Vulnerability Type<\/strong>: Unencrypted Service<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/www.atlassian.com\/de\/software\/bitbucket<\/a><\/span>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Bitbucket allows the import of external repositories. A username and personal access token must be provided when importing repositories from GitHub Enterprise. These credentials get base64 encoded and sent in an import request with Basic Auth.<\/p>\n

It is possible to send such import requests using the unencrypted HTTP protocol. In this case, base64 offers no protection to the credentials and an attacker who performs a man-in-the-middle attack can capture the Basic Auth string and convert it into plain text.<\/p>\n

<\/h3>\n

Proof of Concept (PoC)<\/h3>\n

1. Go to the repository import page (\u201e\/plugins\/servlet\/import-repository\/~USERNAME#landing-page\u201c) and enter a URL starting with \u201ehttp:\/\/\u201c into the \u201eServer URL\u201c field and enter your credentials into the \u201eUsername\u201c and \u201ePersonal access token\u201c fields:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200024_01.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200024_01\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

2. The MitM attacker can see the unencrypted HTTP request sent by the Atlassian HttpClient:<\/span><\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200024_02.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200024_02\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd20200024_03.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd20200024_03\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Consider to only allow encrypted (HTTPS) connections for the Github Enterprise importing feature. If this is not possible, it might still be an added benefit to warn the end-user about the possible risks before sending the credentials unencrypted.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n