Bitbucket 6.1.1 Path Traversal to RCE

ID RIPSTECH:BF4BBA867B90794960F9D94B46058A0A
Type ripstech
Reporter RIPS Technologies Blog
Modified 2019-09-03T06:27:27


Impact In Bitbucket the four different user roles Bitbucket User, Project Creator, Admin and System Admin exist. An attacker with the permissions of the role Admin can abuse Bitbucket's Data Center Migration tool to drop an executable shell script in an arbitrary directory. This is caused by a directory traversal within a TAR archive. In order to gain remote code execution, the attacker can drop a Git hook which is executed if a special event occurs in the repository e.