An unauthenticated remote code execution flaw in GitBucket 4.23.1 allows attackers to gain full system control through token brute-forcing and malicious plugin injection.

The vulnerability stems from weak Blowfish encryption key generation and an insecure git-lfs endpoint. An unauthenticated attacker can brute-force the encryption key, upload a malicious JAR file as a plugin, and trigger execution via an exposed endpoint.

This vulnerability allows an attacker to achieve Remote Code Execution (RCE) with the privileges of the GitBucket service. With a CVSS score of 9.8, the business impact includes complete loss of confidentiality, integrity, and availability, potentially exposing sensitive source code repositories and credentials.

Immediate Action: Upgrade to the latest version of GitBucket immediately to secure the secret token generation and the plugin upload mechanism.

Proactive Monitoring: Monitor system logs for unauthorized attempts to access the git-lfs endpoint or unusual plugin installation events.

Compensating Controls: Restrict network access to the GitBucket instance to trusted IP ranges and monitor for brute-force attempts against authentication or encryption keys.

Public Exploit Available: Unknown

Given the severity of this RCE vulnerability, immediate patching is mandatory. Organizations must ensure that their GitBucket deployment is not exposed to the public internet until the update is applied and the environment is verified as secure.