Pre Auth Remote Command Execution (CVE-2022-36804) in Atlassian Bitbucket

Sicherheit (Pexels, allgemeine Nutzung)[German]There is a critical remote command execution vulnerability (CVE-2022-36804) in the version management for software development projects, Atlassian Bitbucket. Atlassian had already published a security advisory and a product update for the vulnerability, which was rated critical, at the end of August 2022. Now the discoverers seem to have released details about the vulnerability.


Advertising

Atlassian Bitbucket

Atlassian Bitbucket  is a web-based online version management service for software development projects. The service was originally developed as a Mercurial-only system, but added support for Git on October 3, 2011. Wikipedia states that over 330,000 teams of over 2.5 million developers were working with Bitbucket in 2014 – I don't have more recent data.

Atlassian security warning on Bitbucket

While doing some quick research today, I came across the security alert Bitbucket Server and Data Center – Command injection vulnerability – CVE-2022-36804 from Atlassian. As of August 24, 2022 people are warning Command Injection vulnerability CVE-2022-36804 that affects both Bitbucket Server and Bitbucket Data Center. They state:

This advisory discloses a critical security vulnerability introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17, including 7.0.0 and newer, are affected by this vulnerability. This means that all instances running a version between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

A command injection vulnerability exists in multiple Bitbucket Server and Data Center API endpoints. An attacker with access to a public repository or with read access to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

All versions of Bitbucket Server and Datacenter released after 6.10.17, including 7.0.0 and later, are affected by this vulnerability. This means that all instances running a version between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability. Atlassian has released bug fixes for all affected versions of Bitbucket Server and Datacenter, which are listed here.

Details on CVE-2022-36804

Just came across the tweet linking to the article Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804 from assetnote.io. In a blog post dated September 14, 2022, their security researchers disclose the details of this vulnerability.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.