QID 730600
Date Published: 2022-08-29
QID 730600: Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability
Bitbucket Server and Data Center is vulnerable to CVE-2022-36804 a command injection vulnerability in multiple API endpoints.
Affected Bitbucket Server and Data Center Versions
Atlassian Bitbucket Server and Data Center version from 7.0.0 before version 7.6.17
Atlassian Bitbucket Server and Data Center version from 7.7.0 before version 7.17.10
Atlassian Bitbucket Server and Data Center version from 7.18.0 before version 7.21.4
Atlassian Bitbucket Server and Data Center version from 8.0.0 before version 8.0.3
Atlassian Bitbucket Server and Data Center version from 8.1.0 before version 8.1.3
Atlassian Bitbucket Server and Data Center version from 8.2.0 before version 8.2.2
Atlassian Bitbucket Server and Data Center version from 8.3.0 before version 8.3.1
Detection Logic:
QID checks for the vulnerable versions of Bitbucket Server via GET login request.
Note: Detection is made potential as mitigations are available for the vulnerability and Atlassian cloud sites are not affected.
An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.
confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.htmlCVEs related to QID 730600
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| CVE-2022-36804 |
www.atlassian.com/software/bitbucket/download-archives |