High severity8.5NVD Advisory· Published Dec 5, 2017· Updated May 13, 2026

CVE-2017-16857

Description

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

Affected products

Atlassian/Auto-Unapprove Plugin (for Bitbucket Server)v5
Range: All versions prior to version 3.0.1
Atlassian/Bitbucket Auto Unapprove Plugin11 versions
cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:3.0.0:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:bitbucket_auto_unapprove_plugin:2.2.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jira.atlassian.com/browse/BSERV-10439nvdIssue TrackingVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.552
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000