CVE-2022-36804

Published on: Not Yet Published

Last Modified on: 10/01/2022 02:31:00 AM UTC

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Certain versions of Bitbucket from Atlassian contain the following vulnerability:

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

  • CVE-2022-36804 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW LOW NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVE References

Description Tags Link
Bitbucket Git Command Injection ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
[BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804 - Create and track feature requests for Atlassian products. jira.atlassian.com
text/html
URL Logo MISC jira.atlassian.com/browse/BSERV-13438

Related QID Numbers

  • 150574 Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)
  • 730600 Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability

Exploit/POC from Github

Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationAtlassianBitbucketAllAllAllAll
ApplicationAtlassianBitbucket8.3.0AllAllAll
  • cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @TheGrandPew CVE-2022-36804 - RCE in Bitbucket Server Will Release PoC in 30 days. confluence.atlassian.com/bitbucketserve… twitter.com/TheGrandPew/st… 2022-08-25 00:23:07
Twitter Icon @CVEreport CVE-2022-36804 : Multiple API endpoints in #Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17,… twitter.com/i/web/status/1… 2022-08-25 05:42:27
Twitter Icon @Inceptus3 New Vulnerability: CVE-2022-36804 #InceptusSecure #UnderOurProtection 2022-08-25 10:17:41
Twitter Icon @d0znpp BitBicket is a bit vulnerable today. #apisecurity #bitbucket #atlassian #bugbounty Critical CVE-2022-36804: Comma… twitter.com/i/web/status/1… 2022-08-25 13:27:35
Twitter Icon @the_yellow_fall CVE-2022-36804: Bitbucket Server and Data Center Command injection vulnerability securityonline.info/cve-2022-36804…twitter.com/i/web/status/1… 2022-08-25 15:42:02
Twitter Icon @AcooEdi CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability dlvr.it/SXDY1T via securi… twitter.com/i/web/status/1… 2022-08-25 15:45:07
Twitter Icon @Komodosec #Vulnerability #BitbucketServer CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… 2022-08-25 15:52:03
Twitter Icon @threatmeter CVE-2022-36804 Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, fr… twitter.com/i/web/status/1… 2022-08-26 07:09:16
Twitter Icon @ColorTokensInc Emerging Vulnerability Found CVE-2022-36804 - Multiple API endpoints in Atlassian Bitbucket Server and Data Center… twitter.com/i/web/status/1… 2022-08-26 07:09:22
Twitter Icon @Dinosn CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… 2022-08-26 08:19:16
Twitter Icon @fletusposton securityonline.info/cve-2022-36804… 2022-08-26 12:07:42
Twitter Icon @PentestingN CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… Penetrat… twitter.com/i/web/status/1… 2022-08-26 12:13:54
Twitter Icon @oedbro Time to update bitbucket, (CVE-2022-36804)! confluence.atlassian.com/bitbucketserve… #vulnerabilities #Critical #Patch 2022-08-26 12:40:30
Twitter Icon @olofhaglund 9.9 CVE in bitbucket. CVE-2022-36804 confluence.atlassian.com/bitbucketserve… #CVE 2022-08-26 12:48:57
Twitter Icon @ipssignatures I know no IPS that has a protection/signature/rule for the vulnerability CVE-2022-36804. The vuln was published 1 d… twitter.com/i/web/status/1… 2022-08-26 14:04:01
Twitter Icon @ipssignatures The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 8 times. twitter.com/TheGrandPew/st… #S7e3amrdm4gmgo 2022-08-26 14:04:01
Twitter Icon @CyberConvoy blog.cyberconvoy.com/cve-2022-36804… An attacker with access to a public repository or read permissions to a private Bitbucket r… twitter.com/i/web/status/1… 2022-08-26 14:27:46
Twitter Icon @Har_sia CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo 2022-08-26 15:00:09
Twitter Icon @Har_sia CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo 2022-08-26 18:24:02
Twitter Icon @TheHackersNews #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-26 19:40:08
Twitter Icon @_DrFrusci #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-26 19:41:10
Twitter Icon @trip_elix "#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cent… twitter.com/i/web/status/1… 2022-08-26 19:47:02
Twitter Icon @stevematindi CVE-2022-36804 - RCE in #Atlassian's Bitbucket Server (bit.ly/3QPmfqC) https://t.co/Skfqgac3Qe 2022-08-26 19:58:12
Twitter Icon @Swati_THN #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-26 20:01:00
Twitter Icon @ipssignatures The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 10 times. twitter.com/TheGrandPew/st… #pow1rtrtwwcve 2022-08-26 22:06:00
Twitter Icon @virusmyths [주의] Bitbucket 원격코드 실행 취약점(CVE-2022-36804) : naver.me/GFnNsQNJ 2022-08-27 05:18:41
Twitter Icon @security_wang #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-27 06:01:00
Twitter Icon @unix_root #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-27 08:01:00
Twitter Icon @doukkalli #threatleak #FSB #dsec_ru Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 lnkd.in/e3Tr5ZU4 2022-08-27 10:28:58
Twitter Icon @doukkalli #threatleak Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 lnkd.in/ef9ssanD 2022-08-27 10:30:15
Twitter Icon @YourAnonRiots #Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… 2022-08-27 11:06:49
Twitter Icon @ciberconsejo The latest flaw is tracked as CVE-2022-36804 and is a command injection in multiple API endpoints of the software p… twitter.com/i/web/status/1… 2022-08-27 11:32:24
Twitter Icon @SecurityWeek Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability - securityweek.com/atlassian-ship… (CVE-2022-36804) 2022-08-27 11:39:56
Twitter Icon @MrsYisWhy SecurityWeek: Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability - securityweek.com/atlassian-ship… (CVE-2022-36804) 2022-08-27 11:40:02
Twitter Icon @CVEtrends Top 3 trending CVEs on Twitter Past 24 hrs: CVE-2022-36804: 1.5M (audience size) CVE-2022-30190: 184.1K CVE-2022-2… twitter.com/i/web/status/1… 2022-08-27 13:00:03
Twitter Icon @Har_sia CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo 2022-08-27 15:00:06
Twitter Icon @MariaRusanova88 CVE-2022-36804 and is a command injection in multiple API endpoints of the software product. 2022-08-27 19:50:11
Twitter Icon @securestep9 #Atlassian #Bitbucket Server vulnerable to critical #RCE #vulnerability tracked as CVE-2022-36804 - it is a command… twitter.com/i/web/status/1… 2022-08-28 13:25:31
Twitter Icon @stacksmasher Heads Up! Multiple API endpoints in Atlassian Bitbucket Server and Data Center RCE 2022-08-29 00:32:30
Twitter Icon @ipssignatures The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 10 times. twitter.com/SecurityWeek/s… #pow1rtrtwwcve 2022-08-29 02:06:01
Reddit Logo Icon /r/blueteamsec Bitbucket Server and Data Center Advisory 2022-08-24 Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 2022-08-24 17:50:09
Reddit Logo Icon /r/atlassian Bitbucket CVE-2022-36804: Remote Code Execution via Improperly Sanitized Input 2022-08-25 03:29:15
Reddit Logo Icon /r/netcve CVE-2022-36804 2022-08-25 06:38:31
Reddit Logo Icon /r/KomodoCyberConsulting CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability 2022-08-25 15:52:04
Reddit Logo Icon /r/sysadmin Critical flaw impacts Atlassian Bitbucket Server and Data Center 2022-08-29 06:21:31
Reddit Logo Icon /r/k12cybersecurity A Vulnerability in Atlassian Bitbucket Server and Data Center Could Allow For Remote Code Execution 2022-08-29 12:37:47
Reddit Logo Icon /r/programming Bitbucket: critical severity command injection vulnerability with score of 9.9 (CVE-2022-36804) 2022-08-30 17:49:33
Reddit Logo Icon /r/blueteamsec Bitbucket Server CVE-2022-36804 漏洞分析 - Bitbucket Server CVE-2022-36804 Vulnerability Analysis 2022-09-16 18:53:38
Reddit Logo Icon /r/netsec Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) 2022-09-22 04:25:47
Reddit Logo Icon /r/blackhat Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) 2022-09-22 06:52:11
Reddit Logo Icon /r/cybersecurity OWASP Top 10 protection - what does that actually mean? 2023-01-09 10:13:14
Reddit Logo Icon /r/technicaladversary Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) 2023-01-24 23:53:32
© CVE.report 2023 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report