Another critical Atlassian vulnerability has been reported in numerous API endpoints of Bitbucket Server and Data Center. The vulnerability in question is CVE-2022-36804, a command injection issue in version 7.0.0 of Bitbucket Server and Data Center.
CVE-2022-36804: Atlassian Bitbucket Server and Data Center Vulnerability
According to the official advisory, all Bitbucket versions released after 6.10.17, including 7.0.0 and newer ones, are affected. In other words, all instances running any versions between 7.0.0 and 8.3.0 inclusive are exposed to the command injection flaw.
In technical terms, the vulnerability can be exploited by a threat actor with access to a public repository or with read permissions to a private Bitbucket one. The critical issue can be used in arbitrary code execution attacks initiated by sending a malicious HTTP request.
In order to avoid the risks stemming from CVE-2022-36804, Bitbucket server customers should upgrade their instances to one of the fixed versions. If for any reason upgrading isn’t possible at the moment, a temporary mitigation technique is available. Atlassian suggests turning off public repositories globally by setting feature.public.access=false.
This step will change the existing attack vector from an unauthorized to an authorized attack. This measure, however, cannot be considered a complete mitigation. A threat actor with a user account could still succeed in carrying out an attack, Atlassian pointed out.