Remote Code Execution (RCE) via Argument Injection

Issue Summary

Bitbucket Server & Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously.

Affected versions:

The versions of Bitbucket Server affected by this vulnerability are:

• from version 1.x.x before 5.16.11 (fixed version for 5.16.x),
• from version 6.0.x before 6.0.11 (fixed version for 6.0.x), 
• from version 6.1.x before 6.1.9 (fixed version for 6.0.x), 
• from version 6.2.x before 6.2.7 (fixed version for 6.0.x), 
• from version 6.3.x before 6.3.6 (fixed version for 6.0.x), 
• from version 6.4.x before 6.4.4 (fixed version for 6.0.x), 
• from version 6.5.x before 6.5.3 (fixed version for 6.0.x), 
• from version 6.6.x before 6.6.3 (fixed version for 6.0.x), 
• from version 6.7.x before 6.7.3 (fixed version for 6.0.x), 
• from version 6.8.x before 6.8.2 (fixed version for 6.0.x)
• from version 6.9.x before 6.9.1 (fixed version for 6.0.x)

Workaround

Currently there is no known workaround.