CVE-2022-36804 — HIGH (8.8)

Q: How severe is CVE-2022-36804?

CVE-2022-36804 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-36804?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Bitbucket.

Vulnerability Description

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Atlassian	Bitbucket	>= 7.0.0, < 7.6.17

Related Weaknesses (CWE)

CWE-88 CWE-78

References

http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-ExecuExploitThird Party AdvisoryVDB Entry
https://jira.atlassian.com/browse/BSERV-13438Issue TrackingPatchRelease Notes
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlExploitThird Party AdvisoryVDB Entry
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-ExecuExploitThird Party AdvisoryVDB Entry
https://jira.atlassian.com/browse/BSERV-13438Issue TrackingPatchRelease Notes
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-US Government Resource

FAQ

What is CVE-2022-36804?

CVE-2022-36804 is a vulnerability with a CVSS score of 8.8 (HIGH). Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0...

How severe is CVE-2022-36804?

CVE-2022-36804 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-36804?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Bitbucket.