← Back

CVE-2017-16857

nvd nist
Published: Dec 5, 2017Modified: May 13, 2026

JSON object

Loading...
8.5
Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 6.0
Source: NVD

Description

It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.

Affected (11)

Atlassian
1 product
Bitbucket Auto Unapprove Plugin
Configuration A
11 vulnerable
Vulnerable SoftwareAffected Versions
Atlassian
Bitbucket Auto Unapprove Plugin
Version 1.0.0
Bitbucket Auto Unapprove Plugin
Version 1.0.0 beta1
Bitbucket Auto Unapprove Plugin
Version 1.1.0
Bitbucket Auto Unapprove Plugin
Version 1.2.0
Bitbucket Auto Unapprove Plugin
Version 2.0.1
Bitbucket Auto Unapprove Plugin
Version 2.0.2
Bitbucket Auto Unapprove Plugin
Version 2.0.4
Bitbucket Auto Unapprove Plugin
Version 2.1.1
Bitbucket Auto Unapprove Plugin
Version 2.1.3
Bitbucket Auto Unapprove Plugin
Version 2.2.0
Bitbucket Auto Unapprove Plugin
Version 3.0.0

Related CWEs

CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (2)

Source: security@atlassian.com
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory

Timeline

No history available yet.