QID 379105

Bitbucket Data Center looks like a single instance of Bitbucket Server to users, but under the hood, it consists of a cluster of multiple machines ("cluster nodes") each running the Bitbucket Server web application, behind a load balancer.

In Bitbucket server, SnakeYaml Constructor class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution (CVE-2022-43781).

Affected Versions:
Atlassian Bitbucket Server following versions: 7.17.x,7.18.x,7.19.x,7.20.x,7.21.0,7.21.1,7.21.2,7.21.3,7.21.4,7.21.5,7.21.6,7.21.7,7.21.8,7.21.9,7.21.10,7.21.11,7.21.12,7.21.13,7.21.14,7.21.15,8.0.x,8.1.x,8.2.x,8.3.x,8.4.x,8.5.x,.6.x,8.7.x,8.8.0,8.8.1,8.8.2,8.8.3,8.8.4,8.8.5,8.8.6,8.9.0,8.9.1,8.9.2,8.9.3,8.10.0,8.10.1,8.10.2,8.10.3,8.11.0,8.11.1,8.11.2,8.12.0

Detection Logic:(Unauthenticated)
The QID checks for vulnerable versions of Atlassian Bitbucket Server by sending a GET request to /login endpoint.

Detection Logic:(Authenticated)
The QID checks for vulnerable versions of Atlassian Bitbucket Server by checking the registry entry for windows and invoking commands in linux.

Successful exploitation of this vulnerability allows remote code execution which may aids further attacks.