Security researcher “The Grand Pew” discovered a critical command injection vulnerability in a Bitbucket product.
The vulnerability is tracked as CVE-2022-36804 and is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.
This vulnerability could allow remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
Which versions are affected
All versions of the Server and Data Center released after 6.10.17 are affected, meaning that all instances running any versions between 7.0.0 and 8.3.0 inclusive are vulnerable.
Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.
A blog post reads: “A temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack.”