Atlassian has shipped a security update to address a command injection flaw in its Bitbucket Server and Data Center product.
Tracked as CVE-2022-36804, the vulnerability has a CVSS severity score of 9.9 out of 10 and can be exploited remotely to launch code execution attacks.
The bug allows a remote attacker to execute arbitrary shell commands on the target system. The issue stems from improper input validation within multiple API endpoints. A remote attacker with access to a public repository or read permissions to a private Bitbucket repository can send a specially crafted HTTP request and execute arbitrary OS commands on the server.
The flaw impacts all Bitbucket Server and Data Center versions released after 6.10.17 including 7.0.0 and newer. Atlassian Cloud sites are not affected by the issue, the company said.
Earlier this month, the researchers warned of a malicious campaign exploiting a vulnerability in Atlassian Confluence Server software.