Critical RCE Vulnerability in the Atlassian Bitbucket Server and Data Center

Atlassian recently issued a security advisory to notify Bitbucket Server and Data Center users about a critical vulnerability. Labeled CVE-2022-36804 is a command injection flaw with a CVSS score of 9.9. On vulnerable systems, the vulnerability could allow attackers to execute arbitrary code. 

The flaw exists in several API endpoints and could be exploited if an attacker sends a malicious HTTP request to a repository that they have read access to or one that is publicly accessible. 

There is a FAQ page dedicated to the vulnerability. It is said that the Cloud instances are unaffected, though multiple Bitbucket Server and Data Center versions between 6.10.17 – 8.3.0 are affected. 

Versions before 7.19.x will not receive fixes because they are not in LTS. Available fixes are listed below:

PoC Will be Released Soon 

Max Garrett, a security researcher, disclosed CVE-2022-36804 to Atlassian in July 2022 via the company’s bug bounty program. The researcher stated that he will publish a proof-of-concept (PoC) attack for the flaw in 30 days to give system administrators time to apply the now available fixes. 

There’s no way to predict when the critical RCE flaw will start to be actively exploited by hackers, but it will likely increase after the PoC is released. Garrett believes skilled hackers won’t have too much problem reversing the Atlassian patch. 

How to Mitigate? 

It is advised to apply for bug fix releases as soon as possible. If you are unable to implement updates, disabling public repositories by setting feature.public.access=false is a temporary solution that is available.

Check release notes published by Atlassian for further details of new Bitbucket Server and Data Center versions.