CVE-2017-16857

Опубликовано: 05 дек. 2017

Источник: nvd

CVSS3: 8.5

CVSS2: 6

EPSS Низкий

Описание

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

Ссылки

https://jira.atlassian.com/browse/BSERV-10439
Issue Tracking
Vendor Advisory
https://jira.atlassian.com/browse/BSERV-10439
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.1.0:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.2:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:3.0.0:*:*:*:*:*:*:*

EPSS

Процентиль: 50%

0.00274

Низкий

8.5 High

CVSS3

6 Medium

CVSS2

Дефекты

CWE-362

Связанные уязвимости

GHSA-wrg5-4633-4gg8