CVE-2022-36804
Published on: Not Yet Published
Last Modified on: 10/01/2022 02:31:00 AM UTC
Certain versions of Bitbucket from Atlassian contain the following vulnerability:
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
- CVE-2022-36804 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 8.8 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | LOW | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Bitbucket Git Command Injection ≈ Packet Storm | packetstormsecurity.com text/html |
MISC packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html |
| [BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804 - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
MISC jira.atlassian.com/browse/BSERV-13438 |
Related QID Numbers
Exploit/POC from Github
Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Atlassian | Bitbucket | All | All | All | All |
| Application | Atlassian | Bitbucket | 8.3.0 | All | All | All |
- cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @TheGrandPew |
CVE-2022-36804 - RCE in Bitbucket Server Will Release PoC in 30 days. confluence.atlassian.com/bitbucketserve… twitter.com/TheGrandPew/st… | 2022-08-25 00:23:07 |
| @CVEreport |
CVE-2022-36804 : Multiple API endpoints in #Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17,… twitter.com/i/web/status/1… | 2022-08-25 05:42:27 |
| @Inceptus3 |
New Vulnerability: CVE-2022-36804 #InceptusSecure #UnderOurProtection | 2022-08-25 10:17:41 |
| @d0znpp |
BitBicket is a bit vulnerable today. #apisecurity #bitbucket #atlassian #bugbounty Critical CVE-2022-36804: Comma… twitter.com/i/web/status/1… | 2022-08-25 13:27:35 |
| @the_yellow_fall |
CVE-2022-36804: Bitbucket Server and Data Center Command injection vulnerability securityonline.info/cve-2022-36804…… twitter.com/i/web/status/1… | 2022-08-25 15:42:02 |
| @AcooEdi |
CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability dlvr.it/SXDY1T via securi… twitter.com/i/web/status/1… | 2022-08-25 15:45:07 |
| @Komodosec |
#Vulnerability #BitbucketServer CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… | 2022-08-25 15:52:03 |
| @threatmeter |
CVE-2022-36804 Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, fr… twitter.com/i/web/status/1… | 2022-08-26 07:09:16 |
| @ColorTokensInc |
Emerging Vulnerability Found CVE-2022-36804 - Multiple API endpoints in Atlassian Bitbucket Server and Data Center… twitter.com/i/web/status/1… | 2022-08-26 07:09:22 |
| @Dinosn |
CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… | 2022-08-26 08:19:16 |
| @fletusposton |
securityonline.info/cve-2022-36804… | 2022-08-26 12:07:42 |
| @PentestingN |
CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability securityonline.info/cve-2022-36804… Penetrat… twitter.com/i/web/status/1… | 2022-08-26 12:13:54 |
| @oedbro |
Time to update bitbucket, (CVE-2022-36804)! confluence.atlassian.com/bitbucketserve… #vulnerabilities #Critical #Patch | 2022-08-26 12:40:30 |
| @olofhaglund |
9.9 CVE in bitbucket. CVE-2022-36804 confluence.atlassian.com/bitbucketserve… #CVE | 2022-08-26 12:48:57 |
| @ipssignatures |
I know no IPS that has a protection/signature/rule for the vulnerability CVE-2022-36804. The vuln was published 1 d… twitter.com/i/web/status/1… | 2022-08-26 14:04:01 |
| @ipssignatures |
The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 8 times. twitter.com/TheGrandPew/st… #S7e3amrdm4gmgo | 2022-08-26 14:04:01 |
| @CyberConvoy |
blog.cyberconvoy.com/cve-2022-36804… An attacker with access to a public repository or read permissions to a private Bitbucket r… twitter.com/i/web/status/1… | 2022-08-26 14:27:46 |
| @Har_sia |
CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo | 2022-08-26 15:00:09 |
| @Har_sia |
CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo | 2022-08-26 18:24:02 |
| @TheHackersNews |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-26 19:40:08 |
| @_DrFrusci |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-26 19:41:10 |
| @trip_elix |
"#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cent… twitter.com/i/web/status/1… | 2022-08-26 19:47:02 |
| @stevematindi |
CVE-2022-36804 - RCE in #Atlassian's Bitbucket Server (bit.ly/3QPmfqC) https://t.co/Skfqgac3Qe | 2022-08-26 19:58:12 |
| @Swati_THN |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-26 20:01:00 |
| @ipssignatures |
The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 10 times. twitter.com/TheGrandPew/st… #pow1rtrtwwcve | 2022-08-26 22:06:00 |
| @virusmyths |
[주의] Bitbucket 원격코드 실행 취약점(CVE-2022-36804) : naver.me/GFnNsQNJ | 2022-08-27 05:18:41 |
| @security_wang |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-27 06:01:00 |
| @unix_root |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-27 08:01:00 |
| @doukkalli |
#threatleak #FSB #dsec_ru Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 lnkd.in/e3Tr5ZU4 | 2022-08-27 10:28:58 |
| @doukkalli |
#threatleak Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 lnkd.in/ef9ssanD | 2022-08-27 10:30:15 |
| @YourAnonRiots |
#Atlassian has rolled out patches for a critical vulnerability (CVE-2022-36804) in #Bitbucket Server and Data Cente… twitter.com/i/web/status/1… | 2022-08-27 11:06:49 |
| @ciberconsejo |
The latest flaw is tracked as CVE-2022-36804 and is a command injection in multiple API endpoints of the software p… twitter.com/i/web/status/1… | 2022-08-27 11:32:24 |
| @SecurityWeek |
Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability - securityweek.com/atlassian-ship… (CVE-2022-36804) | 2022-08-27 11:39:56 |
| @MrsYisWhy |
SecurityWeek: Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability - securityweek.com/atlassian-ship… (CVE-2022-36804) | 2022-08-27 11:40:02 |
| @CVEtrends |
Top 3 trending CVEs on Twitter Past 24 hrs: CVE-2022-36804: 1.5M (audience size) CVE-2022-30190: 184.1K CVE-2022-2… twitter.com/i/web/status/1… | 2022-08-27 13:00:03 |
| @Har_sia |
CVE-2022-36804 har-sia.info/CVE-2022-36804… #HarsiaInfo | 2022-08-27 15:00:06 |
| @MariaRusanova88 |
CVE-2022-36804 and is a command injection in multiple API endpoints of the software product. | 2022-08-27 19:50:11 |
| @securestep9 |
#Atlassian #Bitbucket Server vulnerable to critical #RCE #vulnerability tracked as CVE-2022-36804 - it is a command… twitter.com/i/web/status/1… | 2022-08-28 13:25:31 |
| @stacksmasher |
Heads Up! Multiple API endpoints in Atlassian Bitbucket Server and Data Center RCE | 2022-08-29 00:32:30 |
| @ipssignatures |
The vuln CVE-2022-36804 has a tweet created 1 days ago and retweeted 10 times. twitter.com/SecurityWeek/s… #pow1rtrtwwcve | 2022-08-29 02:06:01 |
 /r/blueteamsec |
Bitbucket Server and Data Center Advisory 2022-08-24 Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804 | 2022-08-24 17:50:09 |
| /r/atlassian |
Bitbucket CVE-2022-36804: Remote Code Execution via Improperly Sanitized Input | 2022-08-25 03:29:15 |
| /r/netcve |
CVE-2022-36804 | 2022-08-25 06:38:31 |
| /r/KomodoCyberConsulting |
CVE-2022-36804: Bitbucket Server and Data Center command injection vulnerability | 2022-08-25 15:52:04 |
| /r/sysadmin |
Critical flaw impacts Atlassian Bitbucket Server and Data Center | 2022-08-29 06:21:31 |
| /r/k12cybersecurity |
A Vulnerability in Atlassian Bitbucket Server and Data Center Could Allow For Remote Code Execution | 2022-08-29 12:37:47 |
| /r/programming |
Bitbucket: critical severity command injection vulnerability with score of 9.9 (CVE-2022-36804) | 2022-08-30 17:49:33 |
| /r/blueteamsec |
Bitbucket Server CVE-2022-36804 漏洞分析 - Bitbucket Server CVE-2022-36804 Vulnerability Analysis | 2022-09-16 18:53:38 |
| /r/netsec |
Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) | 2022-09-22 04:25:47 |
| /r/blackhat |
Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) | 2022-09-22 06:52:11 |
| /r/cybersecurity |
OWASP Top 10 protection - what does that actually mean? | 2023-01-09 10:13:14 |
| /r/technicaladversary |
Breaking Bitbucket: Pre Auth Remote Command Execution (CVE-2022-36804) | 2023-01-24 23:53:32 |