Detected Bypass Vulnerability
Issue #24
resolved
I am not sure if anyone is aware of this, but your plugin has bypass vulnerability that has been detected and reported here: CVE Website
Maybe it has already been resolved, if so a link to that fix would be sufficient for me Thank you!
Comments (7)
-
-
reporter
- edited description
-
Account Deactivated
@J3SS3LM did you come across this issue because you're using a specific version of the plugin? If so, as noted by @gsylviedavies, you can upgrade to 3.0.1 to get the fixed version.
Regards,
John van der Loo
Developer, Bitbucket Server
-
reporter
Yes I have seen that the fix has been implemented in version 3.0.1 We can close this issue
-
reporter
- changed status to resolved
OBE
-
Account Deactivated
- changed status to closed
-
Account Deactivated
- changed status to resolved
- Log in to comment
The latest version of auto-unapprove (v3.0.1) has the fix for the CVE. The changelog on marketplace.atlassian.com refers to BSERV-10439 which in turn refers to CVE-2017-16857.
My understanding of the vulnerability is that someone that already has write access to the repo could circumvent auto-unapprove (if using auto-unapprove 3.0.0 or older) if they really wanted to e.g., by repeatedly force-pushing while also repeatedly hitting the merge button in another window. In older versions of auto-unapprove there was a small chance you could hit the merge button before auto-unapprove had dropped the approvals.
Note: the attacker here has to already have write access to your repo!
FYI - I'm not Atlassian staff. My company maintains the PR-Booster add-on which competes a little with this one.