Security News > 2022 > August > Patch critical flaw in Atlassian Bitbucket Server and Data Center! (CVE-2022-36804)
A critical vulnerability in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances.
Bitbucket Server and Data Center are used by software developers around the world for source code revision control, management and hosting.
CVE-2022-36804 is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.
"An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request," Atlassian explained.
All versions of Bitbucket Server and Data Center released before versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.2, 8.2.2, and 8.3.1 are vulnerable, but Bitbucket installations hosted by Atlassian are not affected.
Of course, nothing's stopping attackers from reverse-engineering the provided patches to glean enough information into the flaw to create a working exploit, so users should act quickly to block this avenue of attack.
News URL
https://www.helpnetsecurity.com/2022/08/29/cve-2022-36804/
Related news
- Critical JetBrains TeamCity On-Premises Flaw Exposes Servers to Takeover - Patch Now (source)
- Lagging Mastodon admins urged to patch critical account takeover flaw (CVE-2024-23832) (source)
- February 2024 Patch Tuesday forecast: Zero days are back and a new server too (source)
- Critical Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation (source)
- Critical ConnectWise ScreenConnect vulnerabilities fixed, patch ASAP! (source)
- Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now (source)
- ConnectWise urges ScreenConnect admins to patch critical RCE flaw (source)
- Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) (source)
- Exploit available for new critical TeamCity auth bypass bug, patch now (source)
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-08-25 | CVE-2022-36804 | Unspecified vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |