Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Atlassian Bitbucket

Publicly Accessible Private Repositories

PreviousAtlassian BitbucketNextAtlassian Confluence

Last updated 1 year ago

Was this helpful?

Description:

Bitbucket is a source control tool used by software teams to collaborate easily and work simultaneously on code bases. And in some cases, public access to private repositories are temporarily enabled, this however leaves your company at risk of bad actors cloning your repository data without being authorized to do so. It is always advisable to cross-check both your workspace and individual repository settings for misconfigured access settings.

Testing:

Once you create a Bitbucket Workspace, your workspace gets an ID assigned (this is usually the name of the workspace, for example: mycompanyname). You can visit this URL unauthenticated to cross-check what anonymous users get to view:

https://bitbucket.org/{WORKSPACE_ID}

The workspace ID can be guessed or can be enumerated through search engines like Google with the use of search filtering/syntax:

site:bitbucket.org inurl:/workspace/projects

You'll be able to access each individual public repository by opening it on the Workspace overview page:

You can browse through the code and any previous commits:

Remediation:

For self-hosted Atlassian Bitbucket permises, locate the bitbucket.properties file in the home directory of your Bitbucket instance and set feature.public.access to false. On the cloud version, navigate to your repository settings:

And make sure that the "This is a private repository" option is checked, and save your changes:

Additionally, make sure your Workspace visibility settings are also set to private. To do so:

  1. Navigate to your workspace

  2. Click on the settings icon and open Workspace settings

  1. And make sure the option "Keep this workspace private" is checked and save your settings:

Potential Impact:

Most code bases are meant to be private and leaving it publicly accessible can be destructive for some companies. Most private code bases contain sensitive data, private code (obviously) and/or even clear text credentials. All this data can be used for further exploitation by bad actors.

References:

https://confluence.atlassian.com/bitbucketserver/allowing-public-access-to-code-776639799.html#Allowingpublicaccesstocode-Disablingpublicaccessglobally