This is not an official answer (I'm not Atlassian staff), but based on a quick glance at the CVE report and what versions of Tomcat are included in Bitbucket, I think this only affects Stash 3.11.6 or older.
CVE-2017-12615 appears to only affect systems using Tomcat 7.x.
Bitbucket 4.0 or newer uses Tomcat 8.x according to the End of support announcements for Bitbucket Server page.
Hello @Chris Becker,
@G. Sylvie Davies [bit-booster.com] is right. As mentioned to you in the support ticket you have created, the security team has reviewed the vulnerability and has determined that the vulnerability CVE-2017-12615 affects Tomcat 7.0.0 to 7.0.79, and was fixed in revisions 1804604 and 1804729.
According to the announcement from 10 September 2014 at the End of support announcements for Bitbucket Server page, Atlassian would be including Tomcat 8 libraries from Bitbucket Server 4.0 onwards, so all Bitbucket Server versions before 4.0 are likely affected by this vulnerability and all versions from 4.0 onwards are not.
Please let me know if you need any further clarifications.
Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs