Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13438

Critical severity command injection vulnerability - CVE-2022-36804

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Low Low
    • 8.0.3, 8.1.3, 8.2.2, 8.3.1, 7.6.17, 7.17.10, 7.21.4
    • 7.0.0, 7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.17.6, 7.19.4, 7.20.1, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.20.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0, 7.6.15, 7.6.16, 7.17.7, 7.17.8, 7.17.9, 7.21.0, 7.21.1, 7.21.2, 7.21.3
    • None
    • 9.9
    • Critical
    • CVE-2022-36804

      Command injection vulnerability through malicious HTTP requests

      There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.

      All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.

      The full list of affected versions can be found in the "Affects Version/s:" field of this report.

      Affected versions:

      All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive.

      Fixed versions:

      Supported Version Bug Fix Release
      Bitbucket Server and Data Center 7.6 7.6.17 (LTS) or newer
      Bitbucket Server and Data Center 7.17 7.17.10 (LTS) or newer
      Bitbucket Server and Data Center 7.21 7.21.4 (LTS) or newer
      Bitbucket Server and Data Center 8.0 8.0.3 or newer
      Bitbucket Server and Data Center 8.1 8.1.3 or newer
      Bitbucket Server and Data Center 8.2 8.2.2 or newer
      Bitbucket Server and Data Center 8.3 8.3.1 or newer

      Bitbucket Mesh

      If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the compatibility matrix. You can download the corresponding version from the download centre.

       

      For additional details, please see full advisory here: https://confluence.atlassian.com/pages/viewpage.action?spaceKey=SECURITY&title=August+2022%3A+Atlassian+Security+Advisories+Overview

      This vulnerability was discovered by @TheGrandPew and reported via our Bug Bounty program.

            Unassigned Unassigned
            security-metrics-bot Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: