CVE-2022-36804

Warnung

Exploit

EPSS 94.43%
Veröffentlicht 25.08.2022 06:15:09
Zuletzt bearbeitet 24.10.2025 13:37:44
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Betroffene Produkte Warnungen 2 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atlassian ≫ Bitbucket Version >= 7.0.0 < 7.6.17

Atlassian ≫ Bitbucket Version >= 7.7.0 < 7.17.10

Atlassian ≫ Bitbucket Version >= 7.18.0 < 7.21.4

Atlassian ≫ Bitbucket Version >= 8.0.0 < 8.0.3

Atlassian ≫ Bitbucket Version >= 8.1.0 < 8.1.3

Atlassian ≫ Bitbucket Version >= 8.2.0 < 8.2.2

Atlassian ≫ Bitbucket Version8.3.0

30.09.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

Schwachstelle

Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

29.08.2022: CERT.at Warnung

https://www.cert.at/de/warnungen/2022/8/kritische-sicherheitslucke-in-atlassian-bitbucket-server-and-data-center-updates-verfugbar

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.43%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html

Third Party Advisory

Exploit

VDB Entry

http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://jira.atlassian.com/browse/BSERV-13438

Patch

Vendor Advisory

Release Notes