Advertisements
Atlassian fixed a critical flaw in Bitbucket Server and Data Center, tracked as CVE-2022-36804 with a CVSS score 9.9, that could be explored to execute malicious code on vulnerable installs
The flaw is a command injection vulnerability that can be exploited via specially crafted HTTP requests.
Advertisements
Affected Versions
- Bitbucket Server and Datacenter 7.6
- Bitbucket Server and Datacenter 7.17
- Bitbucket Server and Datacenter 7.21
- Bitbucket Server and Datacenter 8.0
- Bitbucket Server and Datacenter 8.1
- Bitbucket Server and Datacenter 8.2,
- Bitbucket Server and Datacenter 8.3
Domains hosted by Atlassian are not affected by this issue.
If you’re unable to upgrade Bitbucket, a temporary mitigation step :
Atlassian is recommending turning off public repositories using “feature.public.access=false” to prevent unauthorized users from exploiting the flaw.
