How can we help?
This vulnerability does not target any specific sector, potential attacks will likely be indiscriminate and opportunistic in nature.
Severity level: Critical – the vulnerability does not require special authentication credentials and can cause root-level compromise.
A critical command injection vulnerability has been discovered affecting several Atlassian API endpoints of Bitbucket and Data Center. The vulnerability is being tracked as CVE-2022-36804. Patching has been released and should be acquired as soon as possible.
This vulnerability enables malicious threat actors to execute arbitrary code by sending malicious HTTP requests to users within accessible public repositories or to users within private Bitbucket repositories if the attacker has the required read permissions. From here a threat actor can gain access to a system and potentially export sensitive data.
Vulnerability affects all versions listed below.
Bitbucket Server and Data Center 7.6
Bitbucket Server and Data Center 7.17
Bitbucket Server and Data Center 7.21
Bitbucket Server and Data Center 8.0
Bitbucket Server and Data Center 8.1
Bitbucket Server and Data Center 8.2
Bitbucket Server and Data Center 8.3
Containment, Mitigations & Remediations
To disable the vulnerability, it is highly advised that customers immediately patch to the associated fixed version recently provided by Atlassian.
Bitbucket Server and Data Center 7.6, patch to 7.6.17 or newer
Bitbucket Server and Data Center 7.17, patch to 7.17.10 or newer
Bitbucket Server and Data Center 7.21, patch to 7.21.4 or newer
Bitbucket Server and Data Center 8.0, patch to 8.0.3 or newer
Bitbucket Server and Data Center 8.1, patch to 8.1.3 or newer
Bitbucket Server and Data Center 8.2, patch to 8.2.2 or newer
Bitbucket Server and Data Center 8.3, patch to 8.3.1 or newer
Indicators of Compromise
Atlassian products such as these are used by a wide array of businesses across the world, thereby affording any attacker a vast choice of potential targets. This vulnerability is part of a continuous cycle of weakness discovery and followed by security patching. This trend will almost certainly continue and thus the process of regular patching cycles must be adhered to to ensure business systems are as secure as possible.
No specific groups have been linked to this vulnerability.
T1190 – Exploit Public Facing Application
T1078 – Valid Accounts