Critical Atlassian Bitbucket Server and Data Center Flaw Let Attackers Execute of Malicious Code

Atlassian revealed a critical security flaw in Bitbucket Server and Data Center that allows attackers to execute malicious code on vulnerable instances. The critical flaw is tracked as (CVE-2022-36804), a command injection vulnerability found in multiple API endpoints of Bitbucket Server and Data Center.

Vulnerability Details

Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Bitbucket offers both commercial plans and free accounts with an unlimited number of private repositories.

EHA

Bitbucket Server and Data Center – Command injection vulnerability received a CVSS severity score of 9.9. According to the scale published in Atlassian severity levels, the severity level of this vulnerability is ‘Critical’.

“An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request”, reads the Advisory published by Atlassian.

Affected and Fixed Versions

All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

Further, the company states that users who access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian, and users are not affected by the vulnerability.

Fixed Versions

Update Now

Atlassian advises the users to upgrade the instance to one of the versions listed in the “Fixed Versions” table. Also, if you have configured Bitbucket Mesh nodes, these will need to be updated with the corresponding version of Mesh that includes the fix.

Those who are unsure whether your Bitbucket instance has Bitbucket Mesh configured, as a user with system administration privileges navigate to Administration > Bitbucket Mesh, this page will list Mesh nodes each of which will need to be upgraded.

If you’re unable to upgrade Bitbucket, the company recommends applying temporary partial mitigation by turning off public repositories using “feature.public.access=false”.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.