Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.