CVE-2018-5225
CRITICAL severity · CVSS 9.9 · CWE-59
9.9CVSS CRITICAL
Summary
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)3%
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://confluence.atlassian.com/x/3WNsOAdvisory
- https://jira.atlassian.com/browse/BSERV-10684Advisory
- https://confluence.atlassian.com/x/3WNsOAdvisory
- https://jira.atlassian.com/browse/BSERV-10684Advisory
- http://www.securityfocus.com/bid/103488Advisory
- http://www.securityfocus.com/bid/103488Advisory