usd-2019-0018 | Bitbucket/v5.10.1

Advisory ID: usd-2019-0018
CVE Number: N/A
Affected Product: Bitbucket
Affected Version: v5.10.1
Vulnerability Type: User Enumeration
Security Risk: Low
Vendor URL: https://www.atlassian.com
Vendor Status: Not fixed

Description

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. The malicious actor is looking for differences in the server’s response based on the validity of submitted credentials.

Proof of Concept (PoC)

Unprivileged users are able to enumerate valid usernames. Hereto, an user sends a request to „/admin/permissions/users“ with following request

GET-Parameter "?permission=LICENSED_USER&name=".

If the username exists, the server responds with an error message that the user has unsufficient rights for this process.
If the username does not exists, the server responds with a message that the user does not exists.

Fix

Even if the user doesn’t exists, the server should respond with an error message which points out that the user doesn’t have sufficient rights to execute the process.

Timeline

2019-03-28 Vulnerability securily submitted to security@atlassian.com
2019-04-11 Second contact attempt via contact formular
2019-05-23 Atlassian Security Team agreed with the publishment of the advisory
2019-07-31 Security advisory released

Credits

This security vulnerabilities were found by Tobias Neitzel and Julian Frey of usd AG.

usd-2019-0018 | Bitbucket/v5.10.1

Description

Proof of Concept (PoC)

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns