VDB
GCVE-110-CERTCC-2021-240785
GCVE-110-CERTCC-2021-240785
Advisory Published
### Overview
Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges.
### Description
The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as `C:\Atlassian\Bitbucket\`. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability.
### Impact
By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/) for more details.
### Solution
#### Apply an update
This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details.
### Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Aliases
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.