Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13173

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133


    • 10
    • Critical
    • CVE-2022-26133

      Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)

      • Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket
      • Note the new CVE assignment does not change any other information in this advisory. The existing list of affected and fixed versions remains unchanged and accurate

      Vulnerability Details

      Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks (CVE-2022-26133). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.

      Affected Versions

      Bitbucket Server is not affected.
      Bitbucket Cloud is not affected.

      Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.

      The following versions are affected:

      • All 5.x versions >= 5.14.x
      • All 6.x versions
      • All 7.x versions < 7.6.14
      • All versions 7.7.x through 7.16.x
      • 7.17.x < 7.17.6
      • 7.18.x < 7.18.4
      • 7.19.x < 7.19.4
      • 7.20.0

      Fixed Versions

      The following versions of Bitbucket Data Center fix this vulnerability:

      • 7.6.14
      • 7.17.6
      • 7.18.4
      • 7.19.4
      • 7.20.1
      • 7.21.0

      Find the versions above on our downloads page and use the steps outlined in the Bitbucket upgrade guide to complete the upgrade.

      If you are unable to install a fixed version, refer to the “Workaround” section below.


      Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use TCP port 5701 by default.


      We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.


      For more information, please refer to Atlassian's security advisory.

            Unassigned Unassigned
            security-metrics-bot Security Metrics Bot
            0 Vote for this issue
            16 Start watching this issue