BitBucket Tar\\../ersal to Remote Code Execution — CVE-2019–3397

I meant to share this two years ago but I didn’t have the time to do so. I created a script that automates the exploitation of the BitBucket Data Center from path traversal to remote code execution. At the time, there were no available exploits so I created one.


Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.15.x), from 5.16.0 before 5.16.3 (fixed version for 5.16.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) allow remote attackers who have admin permissions to achieve remote code execution on a Bitbucket server instance via path traversal through the Data Center migration tool.

Tested On

  • BitBucket Data Center v5.15.0
  • BitBucket Data Center v6.1.1

Demo Video

Source Code

BitBucket Tar\../ersal to Remote Code Execution — CVE-2019–3397



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store