CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
References
Link Resource
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html Exploit Third Party Advisory VDB Entry
https://jira.atlassian.com/browse/BSERV-13438 Issue Tracking Patch Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*

History

28 Jun 2024, 13:57

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html - () http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html - Exploit, Third Party Advisory, VDB Entry

08 Aug 2023, 14:22

Type Values Removed Values Added
CWE CWE-77 NVD-CWE-Other

Information

Published : 2022-08-25 06:15

Updated : 2024-06-28 13:57


NVD link : CVE-2022-36804

Mitre link : CVE-2022-36804

CVE.ORG link : CVE-2022-36804


JSON object : View

Products Affected

atlassian

  • bitbucket