Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Published 2022-08-25 06:15:09
Updated 2023-03-24 19:15:07
Source Atlassian
View at NVD,   CVE.org
Vulnerability category: Execute code

Threat overview for CVE-2022-36804

Top countries where our scanners detected CVE-2022-36804
Top open port discovered on systems with this issue 443
IPs affected by CVE-2022-36804 128
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2022-36804!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

CVE-2022-36804 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
Atlassian Bitbucket Server and Data Center Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.
Notes:
https://jira.atlassian.com/browse/BSERV-13438
Added on 2022-09-30 Action due date 2022-10-21

Exploit prediction scoring system (EPSS) score for CVE-2022-36804

97.35%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2022-36804

  • Bitbucket Git Command Injection
    Disclosure Date: 2022-08-24
    First seen: 2022-12-23
    exploit/linux/http/bitbucket_git_cmd_injection
    Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint creates an archive of th

CVSS scores for CVE-2022-36804

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

CWE ids for CVE-2022-36804

References for CVE-2022-36804

Products affected by CVE-2022-36804

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!