www.belgium.be Logo of the federal government

Warning: Remote Code Execution vulnerability in Bitbucket Data Center and Server, Update Immediately!

Reference: 
Advisory #2023-113
Version: 
1.0
Affected software: 
Atlassian Bitbucket Data Center and Server versions 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2023-22513: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Date: 
22/09/2023

Sources

Confluence - https://confluence.atlassian.com/security/security-bulletin-september-19-2023-1283691616.html

Risks

CVE-2023-22513 is a high-severity vulnerability, with a CVSS score of 8.5. It allows an authenticated attacker to execute arbitrary code on the vulnerable systems. This could have severe consequences, with high impact to confidentiality, integrity and availability of the targeted systems. At the moment the vulnerability was not observed as being exploited by threat actors.

Description

The high severity of the vulnerability is due to the fact that an attacker, who has successfully authenticated with low privileges, could raise privileges and abuse the vulnerability, without needing user interaction. The attacker could then execute commands on the system affecting the combination of confidentiality, integrity, and availability.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to the most recent version provided by Atlassian.

If you are you are unable to do so, Atlassian recommends upgrading your instance to one of the specified supported fixed versions:

  • Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5
  • Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5
  • Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4
  • Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2
  • Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1
  • Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0
  • Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions.

You can download the latest version of Bitbucket Data Center and Server from the download center: https://www.atlassian.com/software/bitbucket/download-archives.

  • Versions before 8.0.0 (e.g., 7.x series) are unaffected by this vulnerability.

References

NIST - https://nvd.nist.gov/vuln/detail/CVE-2023-22513

Confluence - https://confluence.atlassian.com/security/security-bulletin-september-19-2023-1283691616.html

Atlassian - https://www.atlassian.com/software/bitbucket/download-archives

Information Security Newspaper - https://www.securitynewspaper.com/2023/09/20/hacking-atlassian-bitbucket-confluence-data-with-a-vulnerability/