Atlassian fixed a critical flaw in Bitbucket Server and Data Center, tracked as CVE-2022-36804 (CVSS score 9.9), that could be explored to execute malicious code on vulnerable installs
The flaw is a command injection vulnerability that can be exploited via specially crafted HTTP requests.
“This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center.” reads the advisory. “There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”
The issue impacts all versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all installs that are running any versions between 7.0.0 and 8.3.0 inclusive are impacted.
Domains hosted by Atlassian are not affected by this issue.
“If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.” continues the advisory.
-Prameet
