Design/Logic Flaw

2017-12-0516:29:00

PRIOn knowledge base

www.prio-n.com

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.7%

JSON

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

CPENameOperatorVersion
bitbucket_auto_unapprove_plugineq1.0.0 beta1
bitbucket_auto_unapprove_plugineq1.0.0
bitbucket_auto_unapprove_plugineq1.1.0
bitbucket_auto_unapprove_plugineq1.2.0
bitbucket_auto_unapprove_plugineq2.0.1
bitbucket_auto_unapprove_plugineq2.0.2
bitbucket_auto_unapprove_plugineq2.0.4
bitbucket_auto_unapprove_plugineq2.1.1
bitbucket_auto_unapprove_plugineq2.1.3
bitbucket_auto_unapprove_plugineq2.2.0

Name	Operator	Version
bitbucket_auto_unapprove_plugin	eq	1.0.0 beta1
bitbucket_auto_unapprove_plugin	eq	1.0.0
bitbucket_auto_unapprove_plugin	eq	1.1.0
bitbucket_auto_unapprove_plugin	eq	1.2.0
bitbucket_auto_unapprove_plugin	eq	2.0.1
bitbucket_auto_unapprove_plugin	eq	2.0.2
bitbucket_auto_unapprove_plugin	eq	2.0.4
bitbucket_auto_unapprove_plugin	eq	2.1.1
bitbucket_auto_unapprove_plugin	eq	2.1.3
bitbucket_auto_unapprove_plugin	eq	2.2.0

Rows per page:

1-10 of 111

References

jira.atlassian.com/browse/BSERV-10439