Critical vulnerability in Bitbucket servers and data centers

Last Wednesday the 24th, the company Atlassian reported having discovered a critical vulnerability capable of executing arbitrary code that affects multiple versions of the popular BitBucket repository software.

The issue, tracked as CVE-2022-36804 (CVSS score: 9.9), is described as a command injection vulnerability that can be exploited via a specially crafted HTTP request.

Command injection vulnerabilities exist  in various Bitbucket servers and data center API endpoints. An attacker with access to public Bitbucket repositories or read access to private repositories could execute arbitrary code by sending malicious HTTP requests

All versions released after 6.10.17, including 7.0.0 and later, are affected, which means that all instances running any version between 7.0.0 and 8.3.0 can be exploited by this vulnerability.

  • Bitbucket Server and Datacenter 7.6
  • Bitbucket Server and Datacenter 7.17
  • Bitbucket Server and Datacenter 7.21
  • Bitbucket Server and Datacenter 8.0
  • Bitbucket Server and Datacenter 8.1
  • Bitbucket Server and Datacenter 8.2, 
  • Bitbucket Server and Datacenter 8.3

In case Bitbucket cannot be upgraded immediately, Atlassian recommends disabling public repositories with “feature.public.access=false” to prevent unauthorized users from exploiting the vulnerability. This cannot be considered a full mitigation, as an attacker with a user account can still be successful.Users of affected versions of the software are encouraged to update their instances to the latest version as soon as possible to mitigate potential threats.