Last Wednesday the 24th, the company Atlassian reported having discovered a critical vulnerability capable of executing arbitrary code that affects multiple versions of the popular BitBucket repository software.
The issue, tracked as CVE-2022-36804 (CVSS score: 9.9), is described as a command injection vulnerability that can be exploited via a specially crafted HTTP request.
Command injection vulnerabilities exist in various Bitbucket servers and data center API endpoints. An attacker with access to public Bitbucket repositories or read access to private repositories could execute arbitrary code by sending malicious HTTP requests.
All versions released after 6.10.17, including 7.0.0 and later, are affected, which means that all instances running any version between 7.0.0 and 8.3.0 can be exploited by this vulnerability.
- Bitbucket Server and Datacenter 7.6
- Bitbucket Server and Datacenter 7.17
- Bitbucket Server and Datacenter 7.21
- Bitbucket Server and Datacenter 8.0
- Bitbucket Server and Datacenter 8.1
- Bitbucket Server and Datacenter 8.2,
- Bitbucket Server and Datacenter 8.3
In case Bitbucket cannot be upgraded immediately, Atlassian recommends disabling public repositories with “feature.public.access=false” to prevent unauthorized users from exploiting the vulnerability. This cannot be considered a full mitigation, as an attacker with a user account can still be successful.Users of affected versions of the software are encouraged to update their instances to the latest version as soon as possible to mitigate potential threats.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.