Security Advisory 2018-04-15

Power Editor for Bitbucket - Remote Code Execution via File Upload

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 2.7.0 of Power Editor for Bitbucket. All versions of Power Editor for Bitbucket before 3.2.1 are affected by this vulnerability. Power Editor for Bitbucket 3.2.1 and greater is not impacted by this vulnerability.

Remote Code Execution via File Upload

Severity

Mohami rates the severity level of this vulnerability as critical, according to the scale published in Atlassian's severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Description

An authenticated user of Bitbucket Server could gain remote code execution using the upload feature.

All versions of Power Editor for Bitbucket before 3.2.1 are affected by this vulnerability. Power Editor for Bitbucket 3.2.1 is not impacted by this vulnerability.

Fix

We have taken the following steps to address this issue:

1. Released Power Editor for Bitbucket version 3.2.1 that contains a fix for this issue and can be downloaded from: https://marketplace.atlassian.com/plugins/com.mohamicorp.stash.plugin.editor-for-stash/versions.

What You Need to Do

Mohami recommends that you upgrade to the latest version. 

Mitigation

If you are running an affected version of Power Editor for Bitbucket and cannot upgrade to an unaffected version the following mitigation can be performed:

1. Disable Power Editor for Bitbucket on the Manage Add-ons page of Bitbucket server.