Fix a critical flaw in Atlassian Bitbucket Server and Data Center! (CVE-2022-36804)


A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances.

About CVE-2022-36804

Bitbucket Server and Data Center are used by software developers around the world for controlling, managing, and hosting source code revisions.

CVE-2022-36804 is a command injection vulnerability in multiple Bitbucket Server and Data Center API endpoints.

“An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request,” Atlassian explained. Further actions the attacker can take depend on the permissions associated with the exploited application.

All versions of Bitbucket Server and Data Center released before 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.2, 8.2.2, and 8.3.1 are vulnerable, but Bitbucket installations hosted by Atlassian are not affected.

Fix the problem before attackers start exploiting it

Users are advised to upgrade their self-hosted installations to close the security hole.

“If you have configured Bitbucket Mesh nodes, these will need to be updated to the corresponding version of Mesh that includes the fix,” the company added.

“If you are unable to upgrade Bitbucket, a temporary mitigation step is to globally disable public repositories by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This cannot be considered a full mitigation as an attacker with a user account could still be successful.

CVE-2022-36804 was reported by AppSec auditor Maxwell Garret (aka LeGrandPew), who recently promised to publish a PoC at the end of September.

Of course, nothing prevents attackers from reverse engineering the provided patches to glean enough information about the flaw to create a working exploit. Users must therefore act quickly to block this path of attack.


Comments are closed.