CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability

CVE-2022-36804

On August 24, 2022, Atlassian officially issued a risk notice for Bitbucket Server and Data Center. The vulnerability number is CVE-2022-36804, and the severity is critical. The flaw was found by the security researcher @TheGrandPew and reported via our Bug Bounty program. He has promised to release proof-of-concept code in 30 days.

Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Bitbucket offers both commercial plans and free accounts with an unlimited number of private repositories.

This bug affects Bitbucket Server and Data Center products, and, allows an “attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”

CVE-2022-36804 is in multiple API endpoints of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

Fixed Versions

For users who can not temporarily upgrade, Bitbucket gave a temporary mitigation method.  A temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack.