CVE-2017-16857 - OpenCVE

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Atlassian	Bitbucket Auto Unapprove Plugin

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:beta1::::::
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.1.0:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.2.0:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.1:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.2:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.4:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.1:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.3:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.2.0:::::::*
	cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:3.0.0:::::::*

References

Link	Resource
https://jira.atlassian.com/browse/BSERV-10439	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: atlassian

Published: 2017-12-05T00:00:00

Updated: 2017-12-05T15:57:01

Reserved: 2017-11-16T00:00:00

Link: CVE-2017-16857

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-12-05T16:29:00.453

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-16857

JSON object: View

Redhat Information

No data.

CWE

CWE-362

{"containers": {"cna": {"affected": [{"product": "Auto-Unapprove Plugin (for Bitbucket Server)", "vendor": "Atlassian", "versions": [{"status": "affected", "version": "All versions prior to version 3.0.1"}]}], "datePublic": "2017-12-05T00:00:00", "descriptions": [{"lang": "en", "value": "It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket."}], "problemTypes": [{"descriptions": [{"description": "Brute Force Attack", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-05T15:57:01", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jira.atlassian.com/browse/BSERV-10439"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2017-12-05T00:00:00", "ID": "CVE-2017-16857", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Auto-Unapprove Plugin (for Bitbucket Server)", "version": {"version_data": [{"version_value": "All versions prior to version 3.0.1"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Brute Force Attack"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/BSERV-10439", "refsource": "CONFIRM", "url": "https://jira.atlassian.com/browse/BSERV-10439"}]}}}}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2017-16857", "datePublished": "2017-12-05T00:00:00", "dateReserved": "2017-11-16T00:00:00", "dateUpdated": "2017-12-05T15:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "97911FE2-5F86-4BE3-AB28-9816EB9CAEDA", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "53F394B8-F666-4D37-9AC9-7F5397A405E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "6786304B-5EC4-4EA8-88AB-7DC3518DACB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA4C63A4-4315-4083-902D-4C5AA056AE9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "8830EDAD-E6B0-4A27-A455-97E14374AF4F", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "B84B6B9F-E2F9-44E9-AA13-B59F975991A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "607F4C07-6457-4D97-A9AB-1D0EF98B035C", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "16A0B68D-5682-40A8-9755-D85902BCDD63", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "1035851A-D3DF-4A66-B807-1BF85BDF4260", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C7E4D548-247D-41D7-AEEC-606C3A1E0AA7", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "35951C11-94DF-4620-9007-D5F3665502EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket."}, {"lang": "es", "value": "Es posible omitir el plugin bitbucket auto-unapprove mediante fuerza bruta m\u00ednima, ya que depende de eventos as\u00edncronos en el back end. Esto permite que un atacante combine cualquier c\u00f3digo en repositorios no planeados. Esto afecta a todas las versiones del plugin auto-unapprove; sin embargo, debido a que el plugin auto-unapprove no est\u00e1 agrupado con Bitbucket Server, no afecta a ninguna versi\u00f3n en particular de Bitbucket."}], "id": "CVE-2017-16857", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-05T16:29:00.453", "references": [{"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/BSERV-10439"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}