Atlassian Releases Security Update for Bitbucket Server and Data Center

Update addresses critical command injection vulnerability

Threat ID:: CC-4157
Threat Severity:: Information only
Published:: 30 August 2022 12:15 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Update addresses critical command injection vulnerability

Affected platforms

The following platforms are known to be affected:

Versions: 6.10.17 and later, 7.0.0 to 8.3.0

Atlassian Bitbucket Data Center

Threat details

Exploitation in the wild

CISA has added CVE-2022-36804 to their Known Exploited Vulnerabilities Catalog. Affected organisations are encouraged to review the Atlassian Bitbucket Server and Data Center Advisory and apply the necessary updates or workarounds.

Introduction

Atlassian has released an advisory that addresses a critical command injection vulnerability known as CVE-2022-36804 which affects API endpoints in Bitbucket Server and Data Center and has a CVSS score of 9.9.

A remote attacker with either public access or read permissions to a Bitbucket repository could exploit this vulnerability by sending a HTTP request and then executing code.

Remediation advice

Affected organisations are encouraged to review the Atlassian Bitbucket Server and Data Center Advisory and apply the necessary updates or workarounds.

Definitive source of threat updates

https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html

CVE Vulnerabilities

Status Published

CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center versions 6.10.17 and later allow a remote attacker with access to a Bitbucket repository to execute code, by sending a HTTP request.

Last edited: 3 October 2022 1:04 pm