Vulnerability Description
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from version 5.1.0 before 5.1.8 (the fixed version for 5.1.x), from version 5.2.0 before 5.2.6 (the fixed version for 5.2.x), from version 5.3.0 before 5.3.4 (the fixed version for 5.3.x), from version 5.4.0 before 5.4.2 (the fixed version for 5.4.x), from version 5.5.0 before 5.5.1 (the fixed version for 5.5.x) and before 5.6.0 allows remote attackers to read arbitrary files via a path traversal vulnerability through the name of a git tag.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Bitbucket | >= 3.7.0, < 4.14.11 |
Related Weaknesses (CWE)
References
- https://jira.atlassian.com/browse/BSERV-10595Vendor Advisory
- https://jira.atlassian.com/browse/BSERV-10595Vendor Advisory
FAQ
What is CVE-2017-18037?
CVE-2017-18037 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 (the fixed version for 4.14.x), from version 5.0.0 before 5.0.9 (the fixed version for 5.0.x), from...
How severe is CVE-2017-18037?
CVE-2017-18037 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-18037?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Bitbucket.