Search
Find a vulnerability
Search criteria
6 vulnerabilities found for bitbucket_data_center by atlassian
CVE-2024-21684 (GCVE-0-2024-21684)
Vulnerability from nvd – Published: 2024-07-24 18:00 – Updated: 2024-11-05 19:19
VLAI
Summary
There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2.
This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Open Redirect
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Affected:
8.19.1
Affected: 8.9.0 to 8.9.12 Affected: 8.8.0 to 8.8.7 Affected: 8.7.0 to 8.7.5 Affected: 8.6.0 to 8.6.4 Affected: 8.5.0 to 8.5.4 Affected: 8.4.0 to 8.4.4 Affected: 8.3.0 to 8.3.4 Affected: 8.2.2 to 8.2.4 Affected: 8.1.3 to 8.1.5 Affected: 8.0.3 to 8.0.5 Unaffected: 8.19.2 to 8.19.6 Unaffected: 8.9.13 to 8.9.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T18:45:18.293627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:19:43.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-19454"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.19.1"
},
{
"status": "affected",
"version": "8.9.0 to 8.9.12"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.7"
},
{
"status": "affected",
"version": "8.7.0 to 8.7.5"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.4"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.4"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.4"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.2 to 8.2.4"
},
{
"status": "affected",
"version": "8.1.3 to 8.1.5"
},
{
"status": "affected",
"version": "8.0.3 to 8.0.5"
},
{
"status": "unaffected",
"version": "8.19.2 to 8.19.6"
},
{
"status": "unaffected",
"version": "8.9.13 to 8.9.17"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Taha YILDIRIM"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2.\n\nThis open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.\n\nAtlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "Open Redirect"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T18:00:02.553Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/BSERV-19454"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21684",
"datePublished": "2024-07-24T18:00:01.656Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2024-11-05T19:19:43.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22513 (GCVE-0-2023-22513)
Vulnerability from nvd – Published: 2023-09-19 17:00 – Updated: 2025-03-06 15:44
VLAI
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program
Severity
8.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- RCE (Remote Code Execution)
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Unaffected:
< 8.0.0
Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.10.0 Affected: >= 8.11.0 Affected: >= 8.12.0 Affected: >= 8.13.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.0 Affected: >= 8.8.0 Affected: >= 8.9.0 Unaffected: >= 8.10.5 Unaffected: >= 8.11.4 Unaffected: >= 8.12.2 Unaffected: >= 8.13.1 Unaffected: >= 8.14.0 Unaffected: >= 8.9.5 |
|
| Atlassian | Bitbucket Server |
Unaffected:
< 8.0.0
Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.10.0 Affected: >= 8.11.0 Affected: >= 8.12.0 Affected: >= 8.13.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.0 Affected: >= 8.8.0 Affected: >= 8.9.0 Unaffected: >= 8.10.5 Unaffected: >= 8.11.4 Unaffected: >= 8.12.2 Unaffected: >= 8.13.1 Unaffected: >= 8.14.0 Unaffected: >= 8.9.5 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-14419"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:27:08.376997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:44:37.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.10.0"
},
{
"status": "affected",
"version": "\u003e= 8.11.0"
},
{
"status": "affected",
"version": "\u003e= 8.12.0"
},
{
"status": "affected",
"version": "\u003e= 8.13.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.0"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "affected",
"version": "\u003e= 8.9.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.10.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.11.4"
},
{
"status": "unaffected",
"version": "\u003e= 8.12.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.13.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.14.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.9.5"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.10.0"
},
{
"status": "affected",
"version": "\u003e= 8.11.0"
},
{
"status": "affected",
"version": "\u003e= 8.12.0"
},
{
"status": "affected",
"version": "\u003e= 8.13.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.0"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "affected",
"version": "\u003e= 8.9.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.10.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.11.4"
},
{
"status": "unaffected",
"version": "\u003e= 8.12.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.13.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.14.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.9.5"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "a private user"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version \u003e= 8.0 and \u003c 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T18:30:00.597Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"url": "https://jira.atlassian.com/browse/BSERV-14419"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22513",
"datePublished": "2023-09-19T17:00:00.980Z",
"dateReserved": "2023-01-01T00:01:22.330Z",
"dateUpdated": "2025-03-06T15:44:37.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26133 (GCVE-0-2022-26133)
Vulnerability from nvd – Published: 2022-04-20 18:30 – Updated: 2024-10-03 14:55
VLAI
Summary
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Deserialization of untrusted data
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://jira.atlassian.com/browse/BSERV-13173 | x_refsource_MISC |
| https://confluence.atlassian.com/security/multipl… | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Affected:
5.14.0 , < unspecified
(custom)
Affected: unspecified , < 7.6.14 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.17.6 (custom) Affected: 7.18.0 , < unspecified (custom) Affected: unspecified , < 7.18.4 (custom) Affected: 7.19.0 , < unspecified (custom) Affected: unspecified , < 7.19.4 (custom) Affected: 7.20.0 |
|
| atlassian | bitbucket_data_center |
Affected:
5.14.0 , < 7.6.14
(custom)
Affected: 7.7.0 , < 7.17.6 (custom) Affected: 7.18.0 , < 7.18.4 (custom) Affected: 7.19.0 , < 7.19.4 (custom) cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:* |
|
| atlassian | bitbucket_data_center |
Affected:
7.20.0
cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:* |
Date Public
2022-03-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.14",
"status": "affected",
"version": "5.14.0",
"versionType": "custom"
},
{
"lessThan": "7.17.6",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.18.4",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.4",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.20.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:41:09.024921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:55:36.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.14.0",
"versionType": "custom"
},
{
"lessThan": "7.6.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.18.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThan": "7.19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.20.0"
}
]
}
],
"datePublic": "2022-03-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of untrusted data",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-20T18:30:19.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-03-24T23:00:00",
"ID": "CVE-2022-26133",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "5.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.14"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.6"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.18.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.19.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.4"
},
{
"version_affected": "=",
"version_value": "7.20.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization of untrusted data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-13173",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html",
"refsource": "MISC",
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26133",
"datePublished": "2022-04-20T18:30:19.225Z",
"dateReserved": "2022-02-25T00:00:00.000Z",
"dateUpdated": "2024-10-03T14:55:36.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21684 (GCVE-0-2024-21684)
Vulnerability from cvelistv5 – Published: 2024-07-24 18:00 – Updated: 2024-11-05 19:19
VLAI
Summary
There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2.
This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.
Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Open Redirect
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Affected:
8.19.1
Affected: 8.9.0 to 8.9.12 Affected: 8.8.0 to 8.8.7 Affected: 8.7.0 to 8.7.5 Affected: 8.6.0 to 8.6.4 Affected: 8.5.0 to 8.5.4 Affected: 8.4.0 to 8.4.4 Affected: 8.3.0 to 8.3.4 Affected: 8.2.2 to 8.2.4 Affected: 8.1.3 to 8.1.5 Affected: 8.0.3 to 8.0.5 Unaffected: 8.19.2 to 8.19.6 Unaffected: 8.9.13 to 8.9.17 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21684",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-24T18:45:18.293627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T19:19:43.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-19454"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "8.19.1"
},
{
"status": "affected",
"version": "8.9.0 to 8.9.12"
},
{
"status": "affected",
"version": "8.8.0 to 8.8.7"
},
{
"status": "affected",
"version": "8.7.0 to 8.7.5"
},
{
"status": "affected",
"version": "8.6.0 to 8.6.4"
},
{
"status": "affected",
"version": "8.5.0 to 8.5.4"
},
{
"status": "affected",
"version": "8.4.0 to 8.4.4"
},
{
"status": "affected",
"version": "8.3.0 to 8.3.4"
},
{
"status": "affected",
"version": "8.2.2 to 8.2.4"
},
{
"status": "affected",
"version": "8.1.3 to 8.1.5"
},
{
"status": "affected",
"version": "8.0.3 to 8.0.5"
},
{
"status": "unaffected",
"version": "8.19.2 to 8.19.6"
},
{
"status": "unaffected",
"version": "8.9.13 to 8.9.17"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Taha YILDIRIM"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2.\n\nThis open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.\n\nAtlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Open Redirect",
"lang": "en",
"type": "Open Redirect"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T18:00:02.553Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://jira.atlassian.com/browse/BSERV-19454"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2024-21684",
"datePublished": "2024-07-24T18:00:01.656Z",
"dateReserved": "2024-01-01T00:05:33.846Z",
"dateUpdated": "2024-11-05T19:19:43.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22513 (GCVE-0-2023-22513)
Vulnerability from cvelistv5 – Published: 2023-09-19 17:00 – Updated: 2025-03-06 15:44
VLAI
Summary
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program
Severity
8.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- RCE (Remote Code Execution)
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Unaffected:
< 8.0.0
Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.10.0 Affected: >= 8.11.0 Affected: >= 8.12.0 Affected: >= 8.13.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.0 Affected: >= 8.8.0 Affected: >= 8.9.0 Unaffected: >= 8.10.5 Unaffected: >= 8.11.4 Unaffected: >= 8.12.2 Unaffected: >= 8.13.1 Unaffected: >= 8.14.0 Unaffected: >= 8.9.5 |
|
| Atlassian | Bitbucket Server |
Unaffected:
< 8.0.0
Affected: >= 8.0.0 Affected: >= 8.1.0 Affected: >= 8.10.0 Affected: >= 8.11.0 Affected: >= 8.12.0 Affected: >= 8.13.0 Affected: >= 8.2.0 Affected: >= 8.3.0 Affected: >= 8.4.0 Affected: >= 8.5.0 Affected: >= 8.6.0 Affected: >= 8.7.0 Affected: >= 8.8.0 Affected: >= 8.9.0 Unaffected: >= 8.10.5 Unaffected: >= 8.11.4 Unaffected: >= 8.12.2 Unaffected: >= 8.13.1 Unaffected: >= 8.14.0 Unaffected: >= 8.9.5 |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"tags": [
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-14419"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-06T15:27:08.376997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-06T15:44:37.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.10.0"
},
{
"status": "affected",
"version": "\u003e= 8.11.0"
},
{
"status": "affected",
"version": "\u003e= 8.12.0"
},
{
"status": "affected",
"version": "\u003e= 8.13.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.0"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "affected",
"version": "\u003e= 8.9.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.10.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.11.4"
},
{
"status": "unaffected",
"version": "\u003e= 8.12.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.13.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.14.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.9.5"
}
]
},
{
"product": "Bitbucket Server",
"vendor": "Atlassian",
"versions": [
{
"status": "unaffected",
"version": "\u003c 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.0.0"
},
{
"status": "affected",
"version": "\u003e= 8.1.0"
},
{
"status": "affected",
"version": "\u003e= 8.10.0"
},
{
"status": "affected",
"version": "\u003e= 8.11.0"
},
{
"status": "affected",
"version": "\u003e= 8.12.0"
},
{
"status": "affected",
"version": "\u003e= 8.13.0"
},
{
"status": "affected",
"version": "\u003e= 8.2.0"
},
{
"status": "affected",
"version": "\u003e= 8.3.0"
},
{
"status": "affected",
"version": "\u003e= 8.4.0"
},
{
"status": "affected",
"version": "\u003e= 8.5.0"
},
{
"status": "affected",
"version": "\u003e= 8.6.0"
},
{
"status": "affected",
"version": "\u003e= 8.7.0"
},
{
"status": "affected",
"version": "\u003e= 8.8.0"
},
{
"status": "affected",
"version": "\u003e= 8.9.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.10.5"
},
{
"status": "unaffected",
"version": "\u003e= 8.11.4"
},
{
"status": "unaffected",
"version": "\u003e= 8.12.2"
},
{
"status": "unaffected",
"version": "\u003e= 8.13.1"
},
{
"status": "unaffected",
"version": "\u003e= 8.14.0"
},
{
"status": "unaffected",
"version": "\u003e= 8.9.5"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "a private user"
}
],
"descriptions": [
{
"lang": "en",
"value": "This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version \u003e= 8.0 and \u003c 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "RCE (Remote Code Execution)",
"lang": "en",
"type": "RCE (Remote Code Execution)"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-19T18:30:00.597Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1283691616"
},
{
"url": "https://jira.atlassian.com/browse/BSERV-14419"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2023-22513",
"datePublished": "2023-09-19T17:00:00.980Z",
"dateReserved": "2023-01-01T00:01:22.330Z",
"dateUpdated": "2025-03-06T15:44:37.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26133 (GCVE-0-2022-26133)
Vulnerability from cvelistv5 – Published: 2022-04-20 18:30 – Updated: 2024-10-03 14:55
VLAI
Summary
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Deserialization of untrusted data
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://jira.atlassian.com/browse/BSERV-13173 | x_refsource_MISC |
| https://confluence.atlassian.com/security/multipl… | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Bitbucket Data Center |
Affected:
5.14.0 , < unspecified
(custom)
Affected: unspecified , < 7.6.14 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.17.6 (custom) Affected: 7.18.0 , < unspecified (custom) Affected: unspecified , < 7.18.4 (custom) Affected: 7.19.0 , < unspecified (custom) Affected: unspecified , < 7.19.4 (custom) Affected: 7.20.0 |
|
| atlassian | bitbucket_data_center |
Affected:
5.14.0 , < 7.6.14
(custom)
Affected: 7.7.0 , < 7.17.6 (custom) Affected: 7.18.0 , < 7.18.4 (custom) Affected: 7.19.0 , < 7.19.4 (custom) cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:* |
|
| atlassian | bitbucket_data_center |
Affected:
7.20.0
cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:* |
Date Public
2022-03-24 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:56:37.656Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "7.6.14",
"status": "affected",
"version": "5.14.0",
"versionType": "custom"
},
{
"lessThan": "7.17.6",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.18.4",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.19.4",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "bitbucket_data_center",
"vendor": "atlassian",
"versions": [
{
"status": "affected",
"version": "7.20.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-26133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T14:41:09.024921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:55:36.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bitbucket Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.14.0",
"versionType": "custom"
},
{
"lessThan": "7.6.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.17.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.18.0",
"versionType": "custom"
},
{
"lessThan": "7.18.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.19.0",
"versionType": "custom"
},
{
"lessThan": "7.19.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "7.20.0"
}
]
}
],
"datePublic": "2022-03-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of untrusted data",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-20T18:30:19.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2022-03-24T23:00:00",
"ID": "CVE-2022-26133",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bitbucket Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "5.14.0"
},
{
"version_affected": "\u003c",
"version_value": "7.6.14"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.17.6"
},
{
"version_affected": "\u003e=",
"version_value": "7.18.0"
},
{
"version_affected": "\u003c",
"version_value": "7.18.4"
},
{
"version_affected": "\u003e=",
"version_value": "7.19.0"
},
{
"version_affected": "\u003c",
"version_value": "7.19.4"
},
{
"version_affected": "=",
"version_value": "7.20.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization of untrusted data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/BSERV-13173",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/BSERV-13173"
},
{
"name": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html",
"refsource": "MISC",
"url": "https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2022-26133",
"datePublished": "2022-04-20T18:30:19.225Z",
"dateReserved": "2022-02-25T00:00:00.000Z",
"dateUpdated": "2024-10-03T14:55:36.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}