• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 8.0.3, 8.1.3, 8.2.2, 8.3.1, 7.6.17, 7.17.10, 7.21.4
• Affects Version/s: 7.0.0, (103)
  7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.17.6, 7.19.4, 7.20.1, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.20.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0, 7.6.15, 7.6.16, 7.17.7, 7.17.8, 7.17.9, 7.21.0, 7.21.1, 7.21.2, 7.21.3
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security
  • 🔢✅

[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804

Eric Franklin (Inactive) made changes - 13/Dec/2023 5:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 847665 ]

Eric Franklin (Inactive) made changes - 08/Dec/2023 8:28 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 846201 ]

Security Metrics Bot made changes - 28/Aug/2022 8:28 PM

CVE ID

New: CVE-2022-36804

Zachary Echouafni made changes - 24/Aug/2022 5:04 PM

Security

Original: Atlassian Staff [ 10750 ]

Zachary Echouafni made changes - 24/Aug/2022 4:59 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Gabriel Ribeiro made changes - 23/Aug/2022 5:52 PM

Link

New: This issue duplicates BSERV-13437 [ BSERV-13437 ]

Prerana Shenoy made changes - 22/Aug/2022 4:57 PM

Description

Original: h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with *read* permissions to a private one can execute arbitrary code by sending a malicious HTTP request. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability. The full list of affected versions can be found in the "Affects Version/s:" field of this report. h4. Affected versions: All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive. h4. Fixed versions: ||*Supported Version*||*Bug Fix Release*|| |[Bitbucket Server and Data Center 7.6|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+7.6+release+notes]|7.6.17 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.17|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.17+release+notes]|7.17.10 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.21|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.21+release+notes]|7.21.4 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 8.0|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.0+release+notes]|8.0.3 or newer| |[Bitbucket Server and Data Center 8.1|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.1+release+notes]|8.1.3 or newer| |[Bitbucket Server and Data Center 8.2|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.2+release+notes]|8.2.2 or newer| |[Bitbucket Server and Data Center 8.3|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.3+release+notes]|8.3.1 or newer| h4. Bitbucket Mesh If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the [+compatibility matrix+|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Mesh+compatibility+matrix]. You can download the corresponding version from the [download centre|https://www.atlassian.com/software/bitbucket/download-mesh-archives].   This vulnerability was discovered by [@TheGrandPew|https://twitter.com/TheGrandPew] and reported via our Bug Bounty program.

New: h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with *read* permissions to a private one can execute arbitrary code by sending a malicious HTTP request. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability. The full list of affected versions can be found in the "Affects Version/s:" field of this report. h4. Affected versions: All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive. h4. Fixed versions: ||*Supported Version*||*Bug Fix Release*|| |[Bitbucket Server and Data Center 7.6|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+7.6+release+notes]|7.6.17 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.17|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.17+release+notes]|7.17.10 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.21|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.21+release+notes]|7.21.4 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 8.0|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.0+release+notes]|8.0.3 or newer| |[Bitbucket Server and Data Center 8.1|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.1+release+notes]|8.1.3 or newer| |[Bitbucket Server and Data Center 8.2|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.2+release+notes]|8.2.2 or newer| |[Bitbucket Server and Data Center 8.3|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.3+release+notes]|8.3.1 or newer| h4. Bitbucket Mesh If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the [+compatibility matrix+|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Mesh+compatibility+matrix]. You can download the corresponding version from the [download centre|https://www.atlassian.com/software/bitbucket/download-mesh-archives].   For additional details, please see full advisory here: [https://confluence.atlassian.com/pages/viewpage.action?spaceKey=SECURITY&title=August+2022%3A+Atlassian+Security+Advisories+Overview] This vulnerability was discovered by [@TheGrandPew|https://twitter.com/TheGrandPew] and reported via our Bug Bounty program.

Jennelle Stearns made changes - 22/Aug/2022 1:30 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 675029 ]

Clement made changes - 22/Aug/2022 6:03 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 674662 ]

Prerana Shenoy made changes - 18/Aug/2022 7:00 PM

Description

Original: h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with *read* permissions to a private one can execute arbitrary code by sending a malicious HTTP request. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability. The full list of affected versions can be found in the "Affects Version/s:" field of this report. h4. Affected versions: All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive. h4. Fixed versions: ||*Supported Version*||*Bug Fix Release*|| |[Bitbucket Server and Data Center 7.6|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+7.6+release+notes]|7.6.17 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.17|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.17+release+notes]|7.17.10 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.21|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.21+release+notes]|7.21.4 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 8.0|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.0+release+notes]|8.0.3 or newer| |[Bitbucket Server and Data Center 8.1|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.1+release+notes]|8.1.3 or newer| |[Bitbucket Server and Data Center 8.2|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.2+release+notes]|8.2.2 or newer| |[Bitbucket Server and Data Center 8.3|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.3+release+notes]|8.3.1 or newer| h4. Bitbucket Mesh If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the [+compatibility matrix+|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Mesh+compatibility+matrix]. You can download the corresponding version from the [download centre|https://www.atlassian.com/software/bitbucket/download-mesh-archives].

New: h3. Command injection vulnerability through malicious HTTP requests There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with *read* permissions to a private one can execute arbitrary code by sending a malicious HTTP request. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability. The full list of affected versions can be found in the "Affects Version/s:" field of this report. h4. Affected versions: All Bitbucket Server and Data Center versions from 7.0.0 to 8.3.0 inclusive. h4. Fixed versions: ||*Supported Version*||*Bug Fix Release*|| |[Bitbucket Server and Data Center 7.6|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+7.6+release+notes]|7.6.17 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.17|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.17+release+notes]|7.17.10 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 7.21|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+7.21+release+notes]|7.21.4 ([LTS|https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html]) or newer| |[Bitbucket Server and Data Center 8.0|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.0+release+notes]|8.0.3 or newer| |[Bitbucket Server and Data Center 8.1|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.1+release+notes]|8.1.3 or newer| |[Bitbucket Server and Data Center 8.2|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.2+release+notes]|8.2.2 or newer| |[Bitbucket Server and Data Center 8.3|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Data+Center+and+Server+8.3+release+notes]|8.3.1 or newer| h4. Bitbucket Mesh If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with the Bitbucket Data Center version, please check the [+compatibility matrix+|https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Mesh+compatibility+matrix]. You can download the corresponding version from the [download centre|https://www.atlassian.com/software/bitbucket/download-mesh-archives].   This vulnerability was discovered by [@TheGrandPew|https://twitter.com/TheGrandPew] and reported via our Bug Bounty program.

Load more older history items