{"api_version":"1","generated_at":"2026-04-23T00:39:44+00:00","cve":"CVE-2020-36233","urls":{"html":"https://cve.report/CVE-2020-36233","api":"https://cve.report/api/cve/CVE-2020-36233.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-36233","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-36233"},"summary":{"title":"CVE-2020-36233","description":"The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2021-02-18 20:15:00","updated_at":"2021-02-24 19:30:00"},"problem_types":["CWE-276"],"metrics":[],"references":[{"url":"https://www.kb.cert.org/vuls/id/240785","name":"VU#240785","refsource":"CERT-VN","tags":["Third Party Advisory","US Government Resource"],"title":"VU#240785 - Atlassian Bitbucket on Windows is vulnerable to privilege escalation due to weak ACLs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://jira.atlassian.com/browse/BSERV-12753","name":"https://jira.atlassian.com/browse/BSERV-12753","refsource":"MISC","tags":["Issue Tracking","Vendor Advisory"],"title":"[BSERV-12753] Privilege Escalation Vulnerability in Atlassian Bitbucket on Windows - CVE-2020-36233 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-36233","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36233","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"36233","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"bitbucket","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36233","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"bitbucket","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36233","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"36233","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-36233","qid":"730309","title":"Atlassian Bitbucket Privilege Escalation Vulnerability (CVE-2020-36233)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2021-02-16T00:00:00","ID":"CVE-2020-36233","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Atlassian","product":{"product_data":[{"product_name":"Bitbucket Server","version":{"version_data":[{"version_value":"6.10.9","version_affected":"<"},{"version_value":"7.0.0","version_affected":">="},{"version_value":"7.6.4","version_affected":"<"},{"version_value":"7.7.0","version_affected":">="},{"version_value":"7.10.1","version_affected":"<"}]}},{"product_name":"Bitbucket Data Center","version":{"version_data":[{"version_value":"6.10.9","version_affected":"<"},{"version_value":"7.0.0","version_affected":">="},{"version_value":"7.6.4","version_affected":"<"},{"version_value":"7.7.0","version_affected":">="},{"version_value":"7.10.1","version_affected":"<"}]}}]}}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Incorrect Permission Assignment for Critical Resource"}]}]},"references":{"reference_data":[{"url":"https://jira.atlassian.com/browse/BSERV-12753","refsource":"MISC","name":"https://jira.atlassian.com/browse/BSERV-12753"},{"refsource":"CERT-VN","name":"VU#240785","url":"https://www.kb.cert.org/vuls/id/240785"}]}},"nvd":{"publishedDate":"2021-02-18 20:15:00","lastModifiedDate":"2021-02-24 19:30:00","problem_types":["CWE-276"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":4.6},"severity":"MEDIUM","exploitabilityScore":3.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*","versionEndExcluding":"6.10.9","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.6.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*","versionStartIncluding":"7.7.0","versionEndExcluding":"7.10.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"36233","Ordinal":"201263","Title":"CVE-2020-36233","CVE":"CVE-2020-36233","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"36233","Ordinal":"1","NoteData":"The Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"36233","Ordinal":"2","NoteData":"2021-02-18","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"36233","Ordinal":"3","NoteData":"2021-02-18","Type":"Other","Title":"Modified"}]}}}