CVE-2022-36804 : Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 befor

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Published 2022-08-25 06:15:09

Updated 2025-02-09 20:50:45

Source Atlassian

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-36804

Atlassian » Bitbucket
Versions from including (>=) 8.2.0 and before (<) 8.2.2
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.18.0 and before (<) 7.21.4
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.7.0 and before (<) 7.17.10
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 7.0.0 and before (<) 7.6.17
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 8.1.0 and before (<) 8.1.3
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket
Versions from including (>=) 8.0.0 and before (<) 8.0.3
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Matching versions
Atlassian » Bitbucket » Version: 8.3.0
cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2022-36804

Top countries where our scanners detected CVE-2022-36804

Top open port discovered on systems with this issue 80

IPs affected by CVE-2022-36804 138

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2022-36804!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2022-36804 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

Notes:

https://jira.atlassian.com/browse/BSERV-13438; https://nvd.nist.gov/vuln/detail/CVE-2022-36804

Added on 2022-09-30 Action due date 2022-10-21

Exploit prediction scoring system (EPSS) score for CVE-2022-36804

EPSS FAQ

94.43%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-36804

Bitbucket Git Command Injection

Disclosure Date: 2022-08-24

First seen: 2022-12-23

exploit/linux/http/bitbucket_git_cmd_injection

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint creates an archive of th

More information

CVSS scores for CVE-2022-36804

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-29
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-36804

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-36804

https://jira.atlassian.com/browse/BSERV-13438

[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804 - Create and track feature requests for Atlassian products.
Issue Tracking;Patch;Release Notes;Vendor Advisory
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html

Bitbucket 7.0.0 Remote Command Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html

Bitbucket Git Command Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2022-36804