-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
7.0.0, (103)
7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.17.6, 7.19.4, 7.20.1, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.20.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0, 7.6.15, 7.6.16, 7.17.7, 7.17.8, 7.17.9, 7.21.0, 7.21.1, 7.21.2, 7.21.3 -
None
-
9.9
-
Critical
-
CVE-2022-36804
Command injection vulnerability through malicious HTTP requests
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.
The full list of affected versions can be found in the "Affects Version/s:" field of this report.
Affected versions:
All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive.
Fixed versions:
| Supported Version | Bug Fix Release |
|---|---|
| Bitbucket Server and Data Center 7.6 | 7.6.17 (LTS) or newer |
| Bitbucket Server and Data Center 7.17 | 7.17.10 (LTS) or newer |
| Bitbucket Server and Data Center 7.21 | 7.21.4 (LTS) or newer |
| Bitbucket Server and Data Center 8.0 | 8.0.3 or newer |
| Bitbucket Server and Data Center 8.1 | 8.1.3 or newer |
| Bitbucket Server and Data Center 8.2 | 8.2.2 or newer |
| Bitbucket Server and Data Center 8.3 | 8.3.1 or newer |
Bitbucket Mesh
If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the compatibility matrix. You can download the corresponding version from the download centre.
For additional details, please see full advisory here: https://confluence.atlassian.com/pages/viewpage.action?spaceKey=SECURITY&title=August+2022%3A+Atlassian+Security+Advisories+Overview
This vulnerability was discovered by @TheGrandPew and reported via our Bug Bounty program.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804
| Remote Link | New: This issue links to "Page (Confluence)" [ 847665 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 846201 ] |
| CVE ID | New: CVE-2022-36804 |
Hey e45d5156a1e9 thanks for your message. I would strongly encourage you to raise a support request with our Bitbucket support team and have that checked with the experts on the tool 
The link below takes you right to our support portal for raising a ticket.
Douglas Gnoato
Atlassian team
Hi good afternoon,
I have recently updated Bitbucket to 7.21.3 and seeing this, I'll need to install the 7.21.4 where it have the fix right...? The process will be like if I were to install from scratch or there's a short script to make the update from 7.21.3 to 7.21.4?
@Zachary Echouafni
Thanks
| Security | Original: Atlassian Staff [ 10750 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Draft [ 12872 ] | New: Published [ 12873 ] |
Patches were released, official Confluence page can be seen here: https://confluence.atlassian.com/display/SECURITY/August+2022%3A+Atlassian+Security+Advisories+Overview
| Link | New: This issue duplicates BSERV-13437 [ BSERV-13437 ] |
erase my comment. sorry.