[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.0.3, 8.1.3, 8.2.2, 8.3.1, 7.6.17, 7.17.10, 7.21.4
Affects Version/s: 7.0.0, (103)
7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.17.6, 7.19.4, 7.20.1, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.20.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0, 7.6.15, 7.6.16, 7.17.7, 7.17.8, 7.17.9, 7.21.0, 7.21.1, 7.21.2, 7.21.3
Component/s: None
Labels:

CVSS Score:
9.9
CVSS Severity:
Critical
CVE ID:
CVE-2022-36804

Command injection vulnerability through malicious HTTP requests

There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.

All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.

The full list of affected versions can be found in the "Affects Version/s:" field of this report.

Affected versions:

All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive.

Fixed versions:

Supported Version	Bug Fix Release
Bitbucket Server and Data Center 7.6	7.6.17 (LTS) or newer
Bitbucket Server and Data Center 7.17	7.17.10 (LTS) or newer
Bitbucket Server and Data Center 7.21	7.21.4 (LTS) or newer
Bitbucket Server and Data Center 8.0	8.0.3 or newer
Bitbucket Server and Data Center 8.1	8.1.3 or newer
Bitbucket Server and Data Center 8.2	8.2.2 or newer
Bitbucket Server and Data Center 8.3	8.3.1 or newer

Bitbucket Mesh

If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the compatibility matrix. You can download the corresponding version from the download centre.

For additional details, please see full advisory here: https://confluence.atlassian.com/pages/viewpage.action?spaceKey=SECURITY&title=August+2022%3A+Atlassian+Security+Advisories+Overview

This vulnerability was discovered by @TheGrandPew and reported via our Bug Bounty program.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load

David Lagacé added a comment - 06/Dec/2022 2:50 PM - edited

erase my comment. sorry.

David Lagacé added a comment - 06/Dec/2022 2:50 PM - edited erase my comment. sorry.

Douglas Gnoato added a comment - 24/Aug/2022 8:14 PM

Hey e45d5156a1e9 thanks for your message. I would strongly encourage you to raise a support request with our Bitbucket support team and have that checked with the experts on the tool The link below takes you right to our support portal for raising a ticket.

https://support.atlassian.com/contact/

Douglas Gnoato

Atlassian team

Douglas Gnoato added a comment - 24/Aug/2022 8:14 PM Hey e45d5156a1e9 thanks for your message. I would strongly encourage you to raise a support request with our Bitbucket support team and have that checked with the experts on the tool The link below takes you right to our support portal for raising a ticket. https://support.atlassian.com/contact/ Douglas Gnoato Atlassian team

Eduardo Castro added a comment - 24/Aug/2022 6:18 PM - edited

Hi good afternoon,

I have recently updated Bitbucket to 7.21.3 and seeing this, I'll need to install the 7.21.4 where it have the fix right...? The process will be like if I were to install from scratch or there's a short script to make the update from 7.21.3 to 7.21.4?

@Zachary Echouafni

Thanks

Eduardo Castro added a comment - 24/Aug/2022 6:18 PM - edited Hi good afternoon, I have recently updated Bitbucket to 7.21.3 and seeing this, I'll need to install the 7.21.4 where it have the fix right...? The process will be like if I were to install from scratch or there's a short script to make the update from 7.21.3 to 7.21.4? @Zachary Echouafni Thanks

Zachary Echouafni added a comment - 24/Aug/2022 4:59 PM

Patches were released, official Confluence page can be seen here: https://confluence.atlassian.com/display/SECURITY/August+2022%3A+Atlassian+Security+Advisories+Overview

Zachary Echouafni added a comment - 24/Aug/2022 4:59 PM Patches were released, official Confluence page can be seen here: https://confluence.atlassian.com/display/SECURITY/August+2022%3A+Atlassian+Security+Advisories+Overview

Security Metrics Bot added a comment - 18/Aug/2022 1:46 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.9 => Critical severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Security Metrics Bot added a comment - 18/Aug/2022 1:46 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 9.9 => Critical severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 20 Start watching this issue

Created:: 17/Aug/2022 10:40 PM

Updated:: 13/Dec/2023 5:37 PM

Resolved:: 24/Aug/2022 4:59 PM

Bitbucket Data Center

Details

Description

Command injection vulnerability through malicious HTTP requests

Affected versions:

Fixed versions:

Bitbucket Mesh

Attachments

Issue Links

Forms

Activity

[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804

Collapse comment: David Lagacé added a comment - 06/Dec/2022 2:50 PM, Edited by David Lagacé - 06/Dec/2022 2:52 PM

Expand comment: David Lagacé added a comment - 06/Dec/2022 2:50 PM, Edited by David Lagacé - 06/Dec/2022 2:52 PM

Collapse comment: Douglas Gnoato added a comment - 24/Aug/2022 8:14 PM

Expand comment: Douglas Gnoato added a comment - 24/Aug/2022 8:14 PM

Collapse comment: Eduardo Castro added a comment - 24/Aug/2022 6:18 PM, Edited by Eduardo Castro - 24/Aug/2022 7:40 PM

Expand comment: Eduardo Castro added a comment - 24/Aug/2022 6:18 PM, Edited by Eduardo Castro - 24/Aug/2022 7:40 PM

Collapse comment: Zachary Echouafni added a comment - 24/Aug/2022 4:59 PM

Expand comment: Zachary Echouafni added a comment - 24/Aug/2022 4:59 PM

Collapse comment: Security Metrics Bot added a comment - 18/Aug/2022 1:46 PM

Expand comment: Security Metrics Bot added a comment - 18/Aug/2022 1:46 PM

People

Dates

Backbone Issue Sync