Cybersecurity Announcement: Atlassian Bitbucket Server and Data Center Critical Vulnerability (CVE-2022-36804)
About the Event
Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that allows remote attackers with access to public repositories or read access to private Bitbucket repositories to execute arbitrary code. It is tracked as CVE-2022-36804 with a CVSS severity score of 9.9
Actions to Consider
Atlassian has released bug fixes for versions 7.6 and newer and recommends patching immediately.
Event Impact
The vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0. This is a command injection in multiple API endpoints of the product. Atlassian reports that this is not currently being exploited in the wild, and no POC has been released, but that it wouldn’t be difficult for skilled hackers to reverse engineer the patches that have been released. POC code will be released in 30 days.