CVE-2024-21684 – This is an open redirect vulnerability in Bitbu... (How to Fix)

Q: What is the severity of CVE-2024-21684?

CVE-2024-21684 has a CVSS score of 4.3 (MEDIUM). This is an open redirect vulnerability in Bitbucket Data Center that allows unauthenticated attackers to redirect users to arbitrary websites after login. Affected versions are 8.0.0-8.9.12 and 8.19.0-8.19.1, requiring user interaction for exploitation.

📋 TL;DR

This is an open redirect vulnerability in Bitbucket Data Center that allows unauthenticated attackers to redirect users to arbitrary websites after login. Affected versions are 8.0.0-8.9.12 and 8.19.0-8.19.1, requiring user interaction for exploitation.

💻 Affected Systems

Products:

Bitbucket Data Center

Versions: 8.0.0 to 8.9.12, 8.19.0 to 8.19.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Bitbucket Data Center, not Bitbucket Server or Cloud versions.

📦 What is this software?

Bitbucket Data Center by Atlassian

View all CVEs affecting Bitbucket Data Center →

Bitbucket Data Center by Atlassian

View all CVEs affecting Bitbucket Data Center →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users redirected to malicious sites that steal credentials or deliver malware through phishing attacks.

🟠

Likely Case

Users redirected to phishing pages attempting credential theft or displaying unwanted content.

🟢

If Mitigated

Minimal impact with proper user awareness training and browser security controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires user interaction (victim must click/login), making exploitation less reliable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.9.13 or 8.19.2

Vendor Advisory: https://jira.atlassian.com/browse/BSERV-19454

Restart Required: Yes

Instructions:

1. Backup your instance. 2. Download fixed version from Atlassian downloads. 3. Stop Bitbucket. 4. Install update. 5. Restart Bitbucket. 6. Verify version.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Configure WAF to block open redirect patterns in URLs

User Awareness Training

all

Train users to verify URLs before entering credentials

🧯 If You Can't Patch

Implement network segmentation to restrict Bitbucket access to trusted users only
Deploy web security gateway to inspect and block malicious redirects

🔍 How to Verify

Check if Vulnerable:

Check Bitbucket version via admin interface or system info page

Check Version:

Check via Bitbucket web interface: Admin → System → System Info

Verify Fix Applied:

Verify version is 8.9.13+ or 8.19.2+ and test redirect functionality

📡 Detection & Monitoring

Log Indicators:

Unusual redirect patterns in access logs
Multiple failed login attempts followed by external redirects

Network Indicators:

HTTP 302/301 redirects to external domains after login endpoints

SIEM Query:

source="bitbucket" AND (status=302 OR status=301) AND url="*redirect=*" AND NOT url="*atlassian.com*"

📊 Metadata

CVE ID: CVE-2024-21684

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-601

Published: July 24, 2024

Last Updated: July 30, 2025

🔗 References

https://jira.atlassian.com/browse/BSERV-19454 Issue Tracking,Vendor Advisory
https://jira.atlassian.com/browse/BSERV-19454 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21684, you might also want to check these: