Bitbucket Server and Data Center command injection vulnerability
Atlassian officially issued a risk notice for Bitbucket Server and Data Center. The vulnerability number is CVE-2022-36804 and the severity is critical. The flaw was found by the security researcher @TheGrandPew and reported via our Bug Bounty program. He has promised to release proof-of-concept code in 30 days.
Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Bitbucket offers both commercial plans and free accounts with an unlimited number of private repositories.
This bug affects Bitbucket Server and Data Center products, and, allows an “attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”
CVE-2022-36804 is in multiple API endpoints of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
For Further Reference