Bitbucket DC Open Redirect in login (v8.0.08.9.12 & 8.19.08.19.1)
CVE-2024-21684 Published on July 24, 2024
There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by this vulnerability. It is patched in 8.9.13 and 8.19.2. This open redirect vulnerability, with a CVSS Score of 3.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, allows an unauthenticated attacker to redirect a victim user upon login to Bitbucket Data Center to any arbitrary site which can be utilized for further exploitation which has low impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Bitbucket Data Center customers upgrade to the version. If you are unable to do so, upgrade your instance to one of the supported fixed versions.
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2024-21684 has been classified to as an Open Redirect vulnerability or weakness.
Products Associated with CVE-2024-21684
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21684 are published in these products:
Affected Versions
Atlassian Bitbucket Data Center:- Version 8.19.1 is affected.
- Version 8.9.0 to 8.9.12 is affected.
- Version 8.8.0 to 8.8.7 is affected.
- Version 8.7.0 to 8.7.5 is affected.
- Version 8.6.0 to 8.6.4 is affected.
- Version 8.5.0 to 8.5.4 is affected.
- Version 8.4.0 to 8.4.4 is affected.
- Version 8.3.0 to 8.3.4 is affected.
- Version 8.2.2 to 8.2.4 is affected.
- Version 8.1.3 to 8.1.5 is affected.
- Version 8.0.3 to 8.0.5 is affected.
- Version 8.19.2 to 8.19.6 is unaffected.
- Version 8.9.13 to 8.9.17 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.