CVE-2022-36804

Summary

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Affected Software

VendorProductVersion RangeStatus
AtlassianBitbucket Server7.0.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 7.6.17affected
AtlassianBitbucket Server7.7.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 7.17.10affected
AtlassianBitbucket Server7.18.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 7.21.4affected
AtlassianBitbucket Server8.0.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 8.0.3affected
AtlassianBitbucket Server8.1.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 8.1.3affected
AtlassianBitbucket Server8.2.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 8.2.2affected
AtlassianBitbucket Server8.3.0 < unspecifiedaffected
AtlassianBitbucket Serverunspecified < 8.3.1affected
AtlassianBitbucket Data Center7.0.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 7.6.17affected
AtlassianBitbucket Data Center7.7.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 7.17.10affected
AtlassianBitbucket Data Center7.18.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 7.21.4affected
AtlassianBitbucket Data Center8.0.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 8.0.3affected
AtlassianBitbucket Data Center8.1.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 8.1.3affected
AtlassianBitbucket Data Center8.2.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 8.2.2affected
AtlassianBitbucket Data Center8.3.0 < unspecifiedaffected
AtlassianBitbucket Data Centerunspecified < 8.3.1affected

Weaknesses

  • Remote Code Execution

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References