Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

Affected versions:

• All versions of Bitbucket Server & Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability.

h3. What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server & Bitbucket Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-6-6-release-notes-975023322.html]. You can download the latest version of Bitbucket Server from the [download center.|https://www.atlassian.com/software/bitbucket/download]

Fix:

• Bitbucket Server & Bitbucket Data Center 6.6.1 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download/]

• Bitbucket Server & Bitbucket Data Center 6.6.0 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.5.2 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.4.3 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.3.5 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.2.6 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.1.8 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 6.0.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

• Bitbucket Server & Bitbucket Data Center 5.16.10 contains a fix available for download from [here|https://www.atlassian.com/software/bitbucket/download-archives]

h3. Mitigation

To help mitigate the issue, we have a hotfix available in the form of a plugin that can be enabled with zero downtime. You do not require the hotfix if you are already on a fixed version of Bitbucket, and the hotfix will refuse to install on any fixed version.
{panel:bgColor=#ffffce}
The hotfix works for Bitbucket Server and Bitbucket Data Center instances and can be used to protect systems while planning and executing an upgrade to a fixed version.

Please note that installed apps may still introduce vulnerabilities, even with the hotfix installed. The hotfix only protects the standard functionality of Bitbucket.
{panel}
This hotfix covers:

• Standard Bitbucket functionality and features
• Bitbucket Server and Data Center versions 4.0.0 and later
• Bitbucket Server and Data Center instances

h4. To install the hotfix:

This hotfix is a zero down time installation - No restart is required after installing the hotfix.

Login to Bitbucket with your administrator account

Go to Administration (cog wheel) and navigate to “Addons” → “Manage apps“

Select “Upload App” and provide the URL: {{[^bitbucket-bserv-11896-hotfix-1.0.0.jar]}}

Click “Upload” and wait for the hotfix to install.

If you are unable to upload the hotfix with the URL provided or Bitbucket is behind a firewall, you can download the hotfix plugin Jar from this issue. You are then able to upload the Jar file using the same steps above.

After upgrading to a fixed version there’s no need to remove the hotfix manually; it will be uninstalled automatically as part of the upgrade process.

For additional details, see the [full advisory|https://confluence.atlassian.com/x/Czc4Og].