Security News > 2022 > August > Atlassian Bitbucket Server vulnerable to critical RCE vulnerability
Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances.
"An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request," explains Atlassian's advisory.
The vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.
Atlassian notes that those accessing Bitbucket via bitbucket.org domains aren't impacted by the critical RCE, as the vendor hosts those instances.
The security researcher who discovered CVE-2022-36804 back in July 2022, Max Garrett, reported it to Atlassian via the firm's bug bounty program on Bugcrowd and received $6,000 for his finding.
That said, Bitbucket Server and Data Center users are advised to apply the available security update or mitigations as soon as possible.
News URL
Related news
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- SAP fixes critical vulnerabilities in NetWeaver application servers (source)
- Critical SimpleHelp vulnerabilities fixed, update your server instances! (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits (source)
- Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-25 | CVE-2022-36804 | Argument Injection or Modification vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |