Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

Atlassian has rolled out fixes for a critical security flaw^[1]
in Bitbucket Server and Data Center that could lead to the
execution of malicious code on vulnerable installations.

Tracked as CVE-2022-36804 (CVSS score: 9.9),
the issue has been characterized as a command injection
vulnerability in multiple endpoints that could be exploited via
specially crafted HTTP requests.

“An attacker with access to a public Bitbucket repository or
with read permissions to a private one can execute arbitrary code
by sending a malicious HTTP request,” Atlassian said^[2]
in an advisory.

The shortcoming, discovered and reported by security researcher
@TheGrandPew^[3]
impacts all versions of Bitbucket Server and Datacenter released
after 6.10.17, inclusive of 7.0.0 and newer –

• Bitbucket Server and Datacenter 7.6
• Bitbucket Server and Datacenter 7.17
• Bitbucket Server and Datacenter 7.21
• Bitbucket Server and Datacenter 8.0
• Bitbucket Server and Datacenter 8.1
• Bitbucket Server and Datacenter 8.2, and
• Bitbucket Server and Datacenter 8.3

As a temporary workaround in scenarios where the patches cannot
be applied right away, Atlassian is recommending turning off public
repositories using “feature.public.access=false” to prevent
unauthorized users from exploiting the flaw.

“This can not be considered a complete mitigation as an attacker
with a user account could still succeed,” it cautioned, meaning it
could be leveraged by threat actors who are already in possession
of valid credentials obtained through other means.

Users of affected versions of the software are recommended to
upgrade their instances to the latest version as soon as possible
to mitigate potential threats.