Atlassian has rolled out fixes for a essential safety flaw in Bitbucket Server and Knowledge Middle that would result in the execution of malicious code on weak installations.
Tracked as CVE-2022-36804 (CVSS rating: 9.9), the problem has been characterised as a command injection vulnerability in a number of endpoints that may very well be exploited by way of specifically crafted HTTP requests.
“An attacker with entry to a public Bitbucket repository or with learn permissions to a non-public one can execute arbitrary code by sending a malicious HTTP request,” Atlassian stated in an advisory.
The shortcoming, found and reported by safety researcher @TheGrandPew impacts all variations of Bitbucket Server and Datacenter launched after 6.10.17, inclusive of seven.0.0 and newer –
- Bitbucket Server and Datacenter 7.6
- Bitbucket Server and Datacenter 7.17
- Bitbucket Server and Datacenter 7.21
- Bitbucket Server and Datacenter 8.0
- Bitbucket Server and Datacenter 8.1
- Bitbucket Server and Datacenter 8.2, and
- Bitbucket Server and Datacenter 8.3
As a brief workaround in eventualities the place the patches can’t be utilized immediately, Atlassian is recommending turning off public repositories utilizing “characteristic.public.entry=false” to stop unauthorized customers from exploiting the flaw.
“This cannot be thought of a whole mitigation as an attacker with a consumer account might nonetheless succeed,” it cautioned, which means it may very well be leveraged by menace actors who’re already in possession of legitimate credentials obtained via different means.
Customers of affected variations of the software program are advisable to improve their cases to the newest model as quickly as attainable to mitigate potential threats.
