-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/Czc4Og . CVE ID: * CVE-2019-15000. Product: Bitbucket Server and Bitbucket Data Center. Affected Bitbucket Server and Bitbucket Data Center product versions: version < 5.16.10 6.0.0 <= version < 6.0.10 6.1.0 <= version < 6.1.8 6.2.0 <= version < 6.2.6 6.3.0 <= version < 6.3.5 6.4.0 <= version < 6.4.3 6.5.0 <= version < 6.5.2 Fixed Bitbucket Server and Bitbucket Data Center product versions: * for 5.16.x, Bitbucket Server and Bitbucket Data Center 5.16.10 has been released with a fix for this issue. * for 6.0.x, Bitbucket Server and Bitbucket Data Center 6.0.10 has been released with a fix for this issue. * for 6.1.x, Bitbucket Server and Bitbucket Data Center 6.1.8 has been released with a fix for this issue. * for 6.2.x, Bitbucket Server and Bitbucket Data Center 6.2.6 has been released with a fix for this issue. * for 6.3.x, Bitbucket Server and Bitbucket Data Center 6.3.5 has been released with a fix for this issue. * for 6.4.x, Bitbucket Server and Bitbucket Data Center 6.4.3 has been released with a fix for this issue. * for 6.5.x, Bitbucket Server and Bitbucket Data Center 6.5.2 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from version 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. Customers who have upgraded Bitbucket Server and Bitbucket Data Center to version 5.16.10 or 6.0.10 or 6.1.8 or 6.2.6 or 6.3.5 or 6.4.3 or 6.5.2 or 6.6.0 are not affected. Customers who have downloaded and installed Bitbucket Server and Bitbucket Data Center less than 5.16.10 (the fixed version for 5.16.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.0.0 but less than 6.0.10 (the fixed version for 6.0.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.1.0 but less than 6.1.8 (the fixed version for 6.1.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.2.0 but less than 6.2.6 (the fixed version for 6.2.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.3.0 but less than 6.3.5 (the fixed version for 6.3.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.4.0 but less than 6.4.3 (the fixed version for 6.4.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.5.0 but less than 6.5.2 (the fixed version for 6.5.x) please upgrade your Bitbucket Server and Bitbucket Data Center installations immediately to fix this vulnerability. Argument Injection - CVE-2019-15000 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bitbucket Server and Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously. Versions of Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from version 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BSERV-11947 . Fix: To address this issue, we've released the following versions containing a fix: * Bitbucket Server and Bitbucket Data Center version 5.16.10 * Bitbucket Server and Bitbucket Data Center version 6.0.10 * Bitbucket Server and Bitbucket Data Center version 6.1.8 * Bitbucket Server and Bitbucket Data Center version 6.2.6 * Bitbucket Server and Bitbucket Data Center version 6.3.5 * Bitbucket Server and Bitbucket Data Center version 6.4.3 * Bitbucket Server and Bitbucket Data Center version 6.5.2 * Bitbucket Server and Bitbucket Data Center version 6.6.0 Remediation: Upgrade Bitbucket Server and Bitbucket Data Center to version 6.6.0 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bitbucket Server and Bitbucket Data Center 5.16.x and cannot upgrade to 6.6.0, upgrade to version 5.16.10. If you are running Bitbucket Server and Bitbucket Data Center 6.0.x and cannot upgrade to 6.6.0, upgrade to version 6.0.10. If you are running Bitbucket Server and Bitbucket Data Center 6.1.x and cannot upgrade to 6.6.0, upgrade to version 6.1.8. If you are running Bitbucket Server and Bitbucket Data Center 6.2.x and cannot upgrade to 6.6.0, upgrade to version 6.2.6. If you are running Bitbucket Server and Bitbucket Data Center 6.3.x and cannot upgrade to 6.6.0, upgrade to version 6.3.5. If you are running Bitbucket Server and Bitbucket Data Center 6.4.x and cannot upgrade to 6.6.0, upgrade to version 6.4.3. For a full description of the latest version of Bitbucket Server and Bitbucket Data Center, see the release notes found at https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+release+notes. You can download the latest version of Bitbucket Server and Bitbucket Data Center from the download centre found at https://www.atlassian.com/software/bitbucket/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2JphEXHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqDisw//fY/8VjmmW8oS31hWfdtfJCW/ EypUN6yLv9n/kytmAQJ28vE1KFE2UReZYK8FNTDZgsRo833Mq/kxnNM/w7rN2VKw JmRw24j7QMdWs4976n0I4UYvHCwCiVhKd3RkYv3Y6fXrnDSTp4MS19fXfNYwYBdw vW2Wf+6HlSvve28+1HmtMNH2YwzoSkinL3ijQlqh7/XbMQmsDUbj3ks+hYp9WD0T Q2ca6PKSaf9hyTGGuPYb8WyxNo4puINXyFBuQJQNumW8MU9qM9i4zrnFF9YVSuon rBUpOTuh+kusRECQVf34emMTdN1xbSQCJa7m2+nWMFOYN0xH7xnFGe6MCWNRxxcn ZCXvZFlyE4/gHNw8RNEForbyMOh6Jg5AKUqRfHqwUe/zBLYVMiHFWisInFLI4Q2Z fBwgTbzzfmunCCX9fvH8kxQ0Zd//TnFt5pYoEaRV5NsovO9qSAIWYUnOF8qzyC5B U7s7RVDkPyn4NKXTucq+pYF815lu8Kw6IZiABFuDCJ/GD1pzBf0BngOxZzw74DBk o81rX/jrHiMACBexmqAq2/KEjV3f1IRweTEMsmvMz9CPyvXmB71k8bAdcqQORRbx 7EkQGvTGFjIqrrJBnYB9fP3BPZPV20kdFdY9/oz4xdcto/UIt27QalK5zh+q4UyF csEOVIb0aG9xPgO0C6g= =no9b -----END PGP SIGNATURE-----