CVE-2019-15010

CVE Database · CVE-2019-15010

CVE-2019-15010

· HIGHModified

CVSS v3.1

8.8

EPSS

2.57%

Published

Jan 15, 2020

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Bitbucket Server and Bitbucket Data Center versions starting from version 3.0.0 before version 5.16.11, from version 6.0.0 before 6.0.11, from version 6.1.0 before 6.1.9, from version 6.2.0 before 6.2.7, from version 6.3.0 before 6.3.6, from version 6.4.0 before 6.4.4, from version 6.5.0 before 6.5.3, from version 6.6.0 before 6.6.3, from version 6.7.0 before 6.7.3, from version 6.8.0 before 6.8.2, and from version 6.9.0 before 6.9.1 had a Remote Code Execution vulnerability via certain user input fields. A remote attacker with user level permissions can exploit this vulnerability to run arbitrary commands on the victim's systems. Using a specially crafted payload as user input, the attacker can execute arbitrary commands on the victim's Bitbucket Server or Bitbucket Data Center instance.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-77

Affected Products (11)

atlassian · bitbucket (up to 5.6.11)vulnerable

atlassian · bitbucket (up to 6.0.11)vulnerable

atlassian · bitbucket (up to 6.1.9)vulnerable

atlassian · bitbucket (up to 6.2.7)vulnerable

atlassian · bitbucket (up to 6.3.6)vulnerable

atlassian · bitbucket (up to 6.4.4)vulnerable

atlassian · bitbucket (up to 6.5.3)vulnerable