Issue #7355 duplicate

Information disclosure vulnerability (private repos, teams)

Bryan Bishop avatarBryan Bishop created an issue

There is an information disclosure vulnerability present in BitBucket 38a1a76297f0 / 9a539a797f36.

A bitbucket team that has a public list of members but private repositories will never show the repositories on the team page and the page will never show the number of private repositories on that team.

However, through a member's individual profile (on their own bitbucket page), their memberships to teams lists the number of repositories belonging to each team, even if those teams have all repositories marked as private.

example (sorry to pick on you, Matt): https://bitbucket.org/MattCampbell/

Comments (1)

  1. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.