HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2022-36804

CVSS 8.8v3.1pub. 2022-08-25upd. 2025-10-24

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Atlassian Bitbucket

    APP
    Atlassian
    8.3.07.7.0 – 7.17.10 (bez)7.18.0 – 7.21.4 (bez)7.0.0 – 7.6.17 (bez)8.1.0 – 8.1.3 (bez)8.2.0 – 8.2.2 (bez)8.0.0 – 8.0.3 (bez)

CISA KEV — detailsi

Vendori
Atlassian
Producti
Bitbucket Server and Data Center
Added to KEVi
September 30, 2022
Remediation deadline (US Federal)i
October 21, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 21 października 2022
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2022-43781CRITICAL9.8ten sam produkt

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An...

CVE-2022-26136CRITICAL9.8ten sam produkt

A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Fil...

CVE-2019-15000CRITICAL9.8ten sam produkt

The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x...

CVE-2019-3397CRITICAL9.1ten sam produkt

Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed versi...

CVE-2018-5225CRITICAL9.9ten sam produkt

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13....