Unrated severityNVD Advisory· Published Jul 24, 2024· Updated Nov 5, 2024

CVE-2024-21684

Description

There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2.

This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.

Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bitbucket Data Center contains an open redirect vulnerability that allows an unauthenticated attacker to redirect a victim user upon login to an arbitrary site.

Vulnerability

An open redirect vulnerability exists in Bitbucket Data Center versions 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1. The flaw occurs during the login process, where a crafted URL can redirect an authenticated user to an arbitrary external site. This issue is fixed in versions 8.9.13 and 8.19.2 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious link that, when clicked by a victim and followed by a successful login, redirects the victim to an attacker-controlled site. The attack requires user interaction (the victim must click the link and log in) and has a high attack complexity as per the CVSS vector [1].

Impact

Successful exploitation results in low confidentiality impact, as the attacker can redirect the victim to a site that may harvest sensitive information (e.g., via phishing). There is no impact to integrity or availability. The CVSS score is 3.1 [1].

Mitigation

Atlassian has released fixed versions 8.9.13 and 8.19.2 to address this vulnerability. Users are advised to upgrade to one of these versions or any later supported release. No workarounds have been provided [1].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Atlassian/Bitbucket Data Centercpe-rescue
Range: 8.19.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

jira.atlassian.com/browse/BSERV-19454mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000