#VU66798 OS Command Injection in Bitbucket Server and Bitbucket Data Center - CVE-2022-36804
Vulnerability identifier: #VU66798
Vulnerability risk: High
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID:
CWE-ID:
CWE-78
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Bitbucket Server
Server applications /
Application servers
Bitbucket Data Center
Server applications /
Other server solutions
Vendor: Atlassian
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within multiple API endpoints. A remote attacker with access to a public repository or read permissions to a private Bitbucket repository can send a specially crafted HTTP request and execute arbitrary OS commands on the server.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Bitbucket Server: 7.0.1 - 7.0.5, 7.1.0 - 7.19.5, 7.2.0 - 7.21.3, 7.3.0 - 7.3.2, 7.4.0 - 7.4.2, 7.5.0 - 7.5.2, 7.6.0 - 7.6.16, 7.7.0 - 7.7.1, 7.8.0 - 7.8.1, 7.9.0 - 7.9.1, 8.0.0 - 8.0.2, 8.1.0 - 8.1.2, 8.2.0 - 8.2.1, 8.3.0
Bitbucket Data Center: 7.0.1 - 7.0.5, 7.1.0 - 7.19.5, 7.2.0 - 7.21.3, 7.3.0 - 7.3.2, 7.4.0 - 7.4.2, 7.5.0 - 7.5.2, 7.6.0 - 7.6.16, 7.7.0 - 7.7.1, 7.8.0 - 7.8.1, 7.9.0 - 7.9.1, 8.0.0 - 8.0.2, 8.1.0 - 8.1.2, 8.2.0 - 8.2.1, 8.3.0
External links
https://jira.atlassian.com/browse/BSERV-13438
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
