critical-vulnerability-discovered-in-atlassian-bitbucket-server-and-data-center

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations.

Tracked as CVE-2022-36804 (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests.

“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian said in an advisory.

The shortcoming, discovered and reported by security researcher @TheGrandPew impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer –

  • Bitbucket Server and Datacenter 7.6
  • Bitbucket Server and Datacenter 7.17
  • Bitbucket Server and Datacenter 7.21
  • Bitbucket Server and Datacenter 8.0
  • Bitbucket Server and Datacenter 8.1
  • Bitbucket Server and Datacenter 8.2, and
  • Bitbucket Server and Datacenter 8.3

As a temporary workaround in scenarios where the patches cannot be applied right away, Atlassian is recommending turning off public repositories using “feature.public.access=false” to prevent unauthorized users from exploiting the flaw.

“This can not be considered a complete mitigation as an attacker with a user account could still succeed,” it cautioned, meaning it could be leveraged by threat actors who are already in possession of valid credentials obtained through other means.

Users of affected versions of the software are recommended to upgrade their instances to the latest version as soon as possible to mitigate potential threats.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…