Description
It is possible to bypass the bitbucket auto-unapprove plugin via minimal brute-force because it is relying on asynchronous events on the back-end. This allows an attacker to merge any code into unsuspecting repositories. This affects all versions of the auto-unapprove plugin, however since the auto-unapprove plugin is not bundled with Bitbucket Server it does not affect any particular version of Bitbucket.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/BSERV-10439
Scores
CVSS v3
8.5
EPSS
0.0027
EPSS Percentile
50.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-362
Status
published
Products (11)
Atlassian/Auto-Unapprove Plugin (for Bitbucket Server)
All versions prior to version 3.0.1
atlassian/bitbucket_auto_unapprove_plugin
1.0.0 (2 CPE variants)
atlassian/bitbucket_auto_unapprove_plugin
1.1.0
atlassian/bitbucket_auto_unapprove_plugin
1.2.0
atlassian/bitbucket_auto_unapprove_plugin
2.0.1
atlassian/bitbucket_auto_unapprove_plugin
2.0.2
atlassian/bitbucket_auto_unapprove_plugin
2.0.4
atlassian/bitbucket_auto_unapprove_plugin
2.1.1
atlassian/bitbucket_auto_unapprove_plugin
2.1.3
atlassian/bitbucket_auto_unapprove_plugin
2.2.0
... and 1 more
Published
Dec 05, 2017
Tracked Since
Feb 18, 2026