Critical Vulnerability in Atlassian's Bitbucket Server and Data Center

Published on 29 Aug 2022

Updated on 29 Aug 2022

Atlassian has released security updates to address a critical command injection vulnerability (CVE-2022-36804) in multiple API endpoints of Bitbucket Server and Data Center. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.9 out of 10.

Successful exploitation of this vulnerability could allow an attacker with access to a public Bitbucket repository or with read permissions to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.

All versions of Bitbucket Server and Data Center released after 6.10.17 are affected, including 7.0.0 and up to 8.3.0.

The proof-of-concept (PoC) exploit for this vulnerability may be released soon. 

Administrators and users of the affected versions are advised to upgrade to the latest versions immediately.

More information is available at:
https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html