CVE-2018-5225: Bitbucket Server Remote Code Execution Vulnerability
Recently, Bitbucket Server was discovered to have a remote code execution vulnerability (CVE-2018-5225). Through this vulnerability, authenticated users can use the in-browser editing capabilities to remotely execute code by editing symbolic links in the repository.
Affected Versions
- 13.0 <= Bitbucket Server version < 5.4.8
- 5.0 <= Bitbucket Server version < 5.5.8
- 6.0 <= Bitbucket Server version < 5.6.5
- 7.0 <= Bitbucket Server version < 5.7.3
- 8.0 <= Bitbucket Server version < 5.8.2
Unaffected Version
- Bitbucket Server version 5.4.8
- Bitbucket Server version 5.5.8
- Bitbucket Server version 5.6.5
- Bitbucket Server version 5.7.3
- Bitbucket Server version 5.8.2
- Bitbucket Server version 5.9.0
Solution
The Bitbucket official has released a new version to fix the above vulnerabilities. Please update the affected users as soon as possible to the latest version for protection.
For users who temporarily inconvenience upgrade, Bitbucket official gave a temporary mitigation plan. Turn off the editing function in the bitbucket.properties file and set it as follows:
feature.file.editor = false
Since this mitigation solution cannot prevent the use of third-party file editing APIs to exploit vulnerabilities, officials strongly recommend that users upgrade to the latest version as soon as possible.
Source: seclists
