August 28, 2022

Atlassian Critical Bitbucket RCE Vulnerability Exists in the Wild

Atlassian has released a patch for Bitbucket ‘Server’ and ‘Data Center’ addressing a critical Remote Code Execution vulnerability existing in the wild.

The Vulnerability

• CVE-2022-36804, Critical (CVSS 3.1 : 9.9) – Command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center, An attacker with access to a public repository or read permissions to a private Bitbucket repository can execute arbitrary code by delivering a malicious HTTP request.

Affected Products

• Bitbucket Server and Data Center 7.6
• Bitbucket Server and Data Center 7.17
• Bitbucket Server and Data Center 7.21
• Bitbucket Server and Data Center 8.0
• Bitbucket Server and Data Center 8.1
• Bitbucket Server and Data Center 8.2
• Bitbucket Server and Data Center 8.3

Mitigation

CYREBRO recommends updating Bitbucket Servers and Data Centers to their latest available versions.

Workaround

Those who are unable to implement the security upgrades are encouraged to temporarily disable public repositories setting “feature.public.access=false.”
This cannot be regarded as a full mitigation since an attacker with access to a user account could still execute arbitrary code.

References: Atlassian Advisory