CVE-2018-5225

EPSS 2.69%
Veröffentlicht 22.03.2018 13:29:00
Zuletzt bearbeitet 21.11.2024 04:08:22
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Bitbucket Version >= 4.13.0 < 5.4.8

Atlassian ≫ Bitbucket Version > 5.5.0 < 5.5.8

Atlassian ≫ Bitbucket Version >= 5.6.0 < 5.6.5

Atlassian ≫ Bitbucket Version >= 5.7.0 < 5.7.3

Atlassian ≫ Bitbucket Version >= 5.8.0 < 5.8.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.69%	0.854

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.9	3.1	6	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

http://www.securityfocus.com/bid/103488

Third Party Advisory

VDB Entry

https://confluence.atlassian.com/x/3WNsO

Vendor Advisory

https://jira.atlassian.com/browse/BSERV-10684

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-5225

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5225

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5225

EUVD