Atlassian has published a security advisory alerting Bitbucket Server and Data Center users to a critical vulnerability (9.9 out of 10 on the CVSS scale) that attackers could use to execute arbitrary code.
The developers write that the CVE-2022-36804 problem appeared in version 7.0.0 of Bitbucket Server and Data Center. The bug is described as a command injection vulnerability that can be exploited using specially crafted HTTP requests.
“An attacker with access to a public Bitbucket repository or with read access to a private repository could execute arbitrary code simply by sending a malicious HTTP request,” Atlassian said in a bulletin.
The issue, discovered by information security expert Max Garrett, alias @TheGrandPew, affects all versions of Bitbucket Server and Datacenter released after 6.10.17, including 7.0.0 and newer:
- Bitbucket Server and Datacenter 7.6;
- Bitbucket Server and Datacenter 7.17;
- Bitbucket Server and Datacenter 7.21;
- Bitbucket Server and Datacenter 8.0;
- Bitbucket Server and Datacenter 8.1;
- Bitbucket Server and Datacenter 8.2;
- Bitbucket Server and Datacenter 8.3.
Versions in which the problem is fixed: 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2 and 8.3.1
As a temporary security measure (in case patches cannot be applied immediately), Atlassian recommends disabling public repositories with feature.public.access=false to prevent unauthorized users from exploiting the vulnerability. However, an attacker with a user account can still succeed in an attack.
Garrett has already promised on Twitter that he will release a PoC exploit for CVE-2022-36804 in 30 days, but in the meantime, he gives administrators time to install available patches. However, Garrett warns that Atlassian patch reverse engineering is unlikely to be too difficult for experienced hackers, so attacks on a fresh vulnerability could be launched. before the publication of the PoC.