Bitbucket server is vulnerable to DOS attacks

Sending multiple parallell requests to /rest/api/1.0/projects/{projectKey}/repos/{repositorySlug}/files will exhaust the server and 500 will be returned.

There is no stack trace.

Using Atlassian Bitbucket v5.8.0

What’s the goal behind this post?

First to inform other developers to be careful.

Second to make Atlassian aware of this problem. Maybe you can find resources to add throttling or some kind of flow control.

Bitbucket does have throttling. Perhaps the sysadmin has not configured it?
https://confluence.atlassian.com/bitbucketserver/scaling-bitbucket-server-776640073.html

1 Like

If you want to report a vulnerability to Atlassian I’d suggest you use https://bugcrowd.com/atlassian instead of posting it publicly.

I will take this down if you think it is not appropriate

Both of us are from the community – We don’t work at atlassian proper.

@marten.gustafsson,

The 500 errors are likely actually the throttling happening. If you pin the system with those requests and then try to clone from or push to a repository, it will most likely still work; the system gates the two types of requests independently. Also, a point you didn’t mention is that either the repository in question needs to be public (so it can be accessed anonymously), or you have to be authenticated in order to use that REST endpoint. (The REST response may provide some further insight.)

As for making us aware of the issue, we already are. You might be interested in BSERV-11206. In the future, though, I might suggest that a BSERV ticket on jira.atlassian.com, or a support request via support.atlassian.com, is a better way to get in touch about potentially sensitive issues.

Best regards,
Bryan Turner
Atlassian Bitbucket

1 Like

Thanks for the reply. My request is authenticated. I had expected a 503 return code for throttling.