VDB

GCVE-110-CERTCC-2021-240785

GCVE-110-CERTCC-2021-240785
Advisory Published
Vulnetix · Advisory published February 18, 2021
### Overview Atlassian Bitbucket on Windows fails to properly set ACLs, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. ### Description The Atlassian Bitbucket Windows installer fails to set a secure access-control list (ACL) on the default installation directory, such as `C:\Atlassian\Bitbucket\`. By default, unprivileged users can create files in this directory structure, which creates a privilege-escalation vulnerability. ### Impact By placing a specially-crafted DLL file in the Bitbucket installation directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Bitbucket software installed. See [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001/) for more details. ### Solution #### Apply an update This issue has been addressed in the Bitbucket Windows installer for versions 7.10.1, 7.6.4, and 6.10.9. Please see https://jira.atlassian.com/browse/BSERV-12753 for more details. ### Acknowledgements This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›