Security
Headlines
HeadlinesLatestCVEs

Headline

Actively exploited vulnerability in Bitbucket Server and Data Center

Categories: Exploits and vulnerabilities Categories: News Tags: Atlassian

Tags: Bitbucket

Tags: git

Tags: CVE-2022-36804

Tags: RCE

Tags: read permission

International cybersecurity authorities are warning about the active exploitation of a vulnerability in Bitbucket Server and Data Center

(Read more…)

The post Actively exploited vulnerability in Bitbucket Server and Data Center appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#git#rce#auth#zero_day#bitbucket

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week.

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.

Mitigation

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.

Supported Version

Bug Fix Release

Bitbucket Server and Data Center 7.6

7.6.17 (LTS) or newer

Bitbucket Server and Data Center 7.17

7.17.10 (LTS) or newer

Bitbucket Server and Data Center 7.21

7.21.4 (LTS) or newer

Bitbucket Server and Data Center 8.0

8.0.3 or newer

Bitbucket Server and Data Center 8.1

8.1.3 or newer

Bitbucket Server and Data Center 8.2

8.2.2 or newer

Bitbucket Server and Data Center 8.3

8.3.1 or newer

You can download the latest version of Bitbucket from the download center. Visit the Frequently Asked Questions (FAQ) page if you have any questions.

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Vulnerability

The Remote Code Execution vulnerability was found by Maxwell Garret a security researcher at Assetnote and assigned CVE-2022-36804. The vulnerability was rated as critical, which indicates a CVSS score between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.

Discovery

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise.

Exploitation

The proof-of-concept (PoC) exploit was made public on September 19, 2022. Attackers did not wait long. Some were observed scanning for vulnerable instances as early as September 20th.

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.

WARNING: An exploit kit is now available for CVE-2022-36804 affecting @Atlassian @Bitbucket Server and Data Center. More information on https://t.co/ccK9ng8j58
If you haven’t done so already, it’s time to #patch #patch #patch https://t.co/fytm6ZEGiw

— CERT.be (@certbe) September 27, 2022

Now that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to patch urgently if they haven’t already.

Related news

Bitbucket 7.0.0 Remote Command Execution

Bitbucket version 7.0.0 suffers from a remote command execution vulnerability.

Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center,

CISA Warns of Hackers Exploiting Critical Atlassian Bitbucket Server Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian's Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary

Bitbucket Git Command Injection

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations. Tracked as CVE-2022-36804 (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests. “An

CVE-2022-36804: [BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.