9.9

CVE-2018-5225

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13.0 through 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x), allows authenticated users to gain remote code execution using the in browser editing feature via editing a symbolic link within a repository.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AtlassianBitbucket Version >= 4.13.0 < 5.4.8
AtlassianBitbucket Version > 5.5.0 < 5.5.8
AtlassianBitbucket Version >= 5.6.0 < 5.6.5
AtlassianBitbucket Version >= 5.7.0 < 5.7.3
AtlassianBitbucket Version >= 5.8.0 < 5.8.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 3.62% 0.88
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.9 3.1 6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

http://www.securityfocus.com/bid/103488
Third Party Advisory
VDB Entry
https://confluence.atlassian.com/x/3WNsO
Vendor Advisory
https://jira.atlassian.com/browse/BSERV-10684
Vendor Advisory