CVE-2019-3397

Vulnerability

CVE-2019-3397 is a path traversal vulnerability in the Data Center migration tool of Atlassian Bitbucket Data Center licensed instances [1]. The flaw affects versions from 5.13.0 before 5.13.6, 5.14.0 before 5.14.4, 5.15.0 before 5.15.3, 5.16.0 before 5.16.3, 6.0.0 before 6.0.3, and 6.1.0 before 6.1.2 [1]. Bitbucket Server instances without a Data Center license are not affected [1]. The vulnerability is accessible only to remote attackers who possess administrator-level permissions [1].

Exploitation

An attacker must have valid admin credentials and network access to the Bitbucket Data Center instance [1]. Using the Data Center migration import functionality, the attacker can craft a malicious request that traverses directories, allowing them to write files to arbitrary locations on the server filesystem [1]. By writing a file such as a web shell or a malicious plugin to the appropriate directory, the attacker can then trigger its execution [1]. No user interaction beyond the admin's own actions is required.

Impact

Successful exploitation leads to remote code execution with the privileges of the Bitbucket Server process [1]. The attacker can gain full control over the affected system, potentially accessing or modifying all data managed by Bitbucket, installing further malware, or pivoting to internal systems. The CIA triad is comprehensively compromised.

Mitigation

Atlassian has released fixed versions: 5.13.6, 5.14.4, 5.15.3, 5.16.3, 6.0.3, and 6.1.2 [1]. Upgrading to the latest version (6.1.2 or higher) is recommended [1]. As a workaround for instances that cannot be immediately upgraded, the import functionality can be disabled by setting feature.data.center.migration.import=false in bitbucket.properties and restarting Bitbucket Server [1]. Export functionality remains active [1].