Vulnerability Details CVE-2022-36804
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 8.8
Proposed Action
Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
- http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html
- https://jira.atlassian.com/browse/BSERV-13438
- http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
- http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html
- https://jira.atlassian.com/browse/BSERV-13438
Products affected by CVE-2022-36804
-
cpe:2.3:a:atlassian:bitbucket:7.0.0
-
cpe:2.3:a:atlassian:bitbucket:7.0.1
-
cpe:2.3:a:atlassian:bitbucket:7.0.2
-
cpe:2.3:a:atlassian:bitbucket:7.0.3
-
cpe:2.3:a:atlassian:bitbucket:7.0.4
-
cpe:2.3:a:atlassian:bitbucket:7.0.5
-
cpe:2.3:a:atlassian:bitbucket:7.1.0
-
cpe:2.3:a:atlassian:bitbucket:7.1.1
-
cpe:2.3:a:atlassian:bitbucket:7.1.2
-
cpe:2.3:a:atlassian:bitbucket:7.1.3
-
cpe:2.3:a:atlassian:bitbucket:7.1.4
-
cpe:2.3:a:atlassian:bitbucket:7.10.0
-
cpe:2.3:a:atlassian:bitbucket:7.10.1
-
cpe:2.3:a:atlassian:bitbucket:7.11.1
-
cpe:2.3:a:atlassian:bitbucket:7.11.2
-
cpe:2.3:a:atlassian:bitbucket:7.12.0
-
cpe:2.3:a:atlassian:bitbucket:7.12.1
-
cpe:2.3:a:atlassian:bitbucket:7.13.0
-
cpe:2.3:a:atlassian:bitbucket:7.13.1
-
cpe:2.3:a:atlassian:bitbucket:7.14.0
-
cpe:2.3:a:atlassian:bitbucket:7.14.1
-
cpe:2.3:a:atlassian:bitbucket:7.14.2
-
cpe:2.3:a:atlassian:bitbucket:7.15.0
-
cpe:2.3:a:atlassian:bitbucket:7.15.1
-
cpe:2.3:a:atlassian:bitbucket:7.15.2
-
cpe:2.3:a:atlassian:bitbucket:7.15.3
-
cpe:2.3:a:atlassian:bitbucket:7.16.0
-
cpe:2.3:a:atlassian:bitbucket:7.16.1
-
cpe:2.3:a:atlassian:bitbucket:7.16.2
-
cpe:2.3:a:atlassian:bitbucket:7.16.3
-
cpe:2.3:a:atlassian:bitbucket:7.17.0
-
cpe:2.3:a:atlassian:bitbucket:7.17.1
-
cpe:2.3:a:atlassian:bitbucket:7.17.2
-
cpe:2.3:a:atlassian:bitbucket:7.17.3
-
cpe:2.3:a:atlassian:bitbucket:7.17.4
-
cpe:2.3:a:atlassian:bitbucket:7.17.5
-
cpe:2.3:a:atlassian:bitbucket:7.17.6
-
cpe:2.3:a:atlassian:bitbucket:7.17.7
-
cpe:2.3:a:atlassian:bitbucket:7.17.8
-
cpe:2.3:a:atlassian:bitbucket:7.17.9
-
cpe:2.3:a:atlassian:bitbucket:7.18.0
-
cpe:2.3:a:atlassian:bitbucket:7.18.1
-
cpe:2.3:a:atlassian:bitbucket:7.18.2
-
cpe:2.3:a:atlassian:bitbucket:7.18.3
-
cpe:2.3:a:atlassian:bitbucket:7.18.4
-
cpe:2.3:a:atlassian:bitbucket:7.19.2
-
cpe:2.3:a:atlassian:bitbucket:7.19.3
-
cpe:2.3:a:atlassian:bitbucket:7.19.4
-
cpe:2.3:a:atlassian:bitbucket:7.19.5
-
cpe:2.3:a:atlassian:bitbucket:7.2.0
-
cpe:2.3:a:atlassian:bitbucket:7.2.1
-
cpe:2.3:a:atlassian:bitbucket:7.2.2
-
cpe:2.3:a:atlassian:bitbucket:7.2.3
-
cpe:2.3:a:atlassian:bitbucket:7.2.4
-
cpe:2.3:a:atlassian:bitbucket:7.2.5
-
cpe:2.3:a:atlassian:bitbucket:7.2.6
-
cpe:2.3:a:atlassian:bitbucket:7.20.0
-
cpe:2.3:a:atlassian:bitbucket:7.20.1
-
cpe:2.3:a:atlassian:bitbucket:7.20.2
-
cpe:2.3:a:atlassian:bitbucket:7.20.3
-
cpe:2.3:a:atlassian:bitbucket:7.21.0
-
cpe:2.3:a:atlassian:bitbucket:7.21.1
-
cpe:2.3:a:atlassian:bitbucket:7.21.2
-
cpe:2.3:a:atlassian:bitbucket:7.21.3
-
cpe:2.3:a:atlassian:bitbucket:7.3.0
-
cpe:2.3:a:atlassian:bitbucket:7.3.1
-
cpe:2.3:a:atlassian:bitbucket:7.3.2
-
cpe:2.3:a:atlassian:bitbucket:7.4.0
-
cpe:2.3:a:atlassian:bitbucket:7.4.1
-
cpe:2.3:a:atlassian:bitbucket:7.4.2
-
cpe:2.3:a:atlassian:bitbucket:7.5.0
-
cpe:2.3:a:atlassian:bitbucket:7.5.1
-
cpe:2.3:a:atlassian:bitbucket:7.5.2
-
cpe:2.3:a:atlassian:bitbucket:7.6.0
-
cpe:2.3:a:atlassian:bitbucket:7.6.1
-
cpe:2.3:a:atlassian:bitbucket:7.6.10
-
cpe:2.3:a:atlassian:bitbucket:7.6.11
-
cpe:2.3:a:atlassian:bitbucket:7.6.12
-
cpe:2.3:a:atlassian:bitbucket:7.6.13
-
cpe:2.3:a:atlassian:bitbucket:7.6.14
-
cpe:2.3:a:atlassian:bitbucket:7.6.15
-
cpe:2.3:a:atlassian:bitbucket:7.6.16
-
cpe:2.3:a:atlassian:bitbucket:7.6.2
-
cpe:2.3:a:atlassian:bitbucket:7.6.3
-
cpe:2.3:a:atlassian:bitbucket:7.6.4
-
cpe:2.3:a:atlassian:bitbucket:7.6.5
-
cpe:2.3:a:atlassian:bitbucket:7.6.6
-
cpe:2.3:a:atlassian:bitbucket:7.6.7
-
cpe:2.3:a:atlassian:bitbucket:7.6.8
-
cpe:2.3:a:atlassian:bitbucket:7.6.9
-
cpe:2.3:a:atlassian:bitbucket:7.7.0
-
cpe:2.3:a:atlassian:bitbucket:7.7.1
-
cpe:2.3:a:atlassian:bitbucket:7.8.0
-
cpe:2.3:a:atlassian:bitbucket:7.8.1
-
cpe:2.3:a:atlassian:bitbucket:7.9.0
-
cpe:2.3:a:atlassian:bitbucket:7.9.1
-
cpe:2.3:a:atlassian:bitbucket:8.0.0
-
cpe:2.3:a:atlassian:bitbucket:8.0.1
-
cpe:2.3:a:atlassian:bitbucket:8.0.2
-
cpe:2.3:a:atlassian:bitbucket:8.1.0
-
cpe:2.3:a:atlassian:bitbucket:8.1.1
-
cpe:2.3:a:atlassian:bitbucket:8.1.2
-
cpe:2.3:a:atlassian:bitbucket:8.2.0
-
cpe:2.3:a:atlassian:bitbucket:8.2.1
-
cpe:2.3:a:atlassian:bitbucket:8.3.0