Security
Headlines
HeadlinesLatestCVEs

Headline

Critical command injection vulnerability discovered in Bitbucket Server and Data Center

Update now to protect against flaw

PortSwigger
#vulnerability#git#auth#bitbucket

Jessica Haworth 26 August 2022 at 14:03 UTC

Update now to protect against flaw

A critical command injection vulnerability in a Bitbucket product could allow an attacker to execute arbitrary code, researchers warn.

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

The flaw, tracked as CVE-2022-36804, is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.

Read more of the latest news about security vulnerabilities

This vulnerability could allow remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.

It was discovered by researcher ‘The Grand Pew’, who reported it through Bugcrowd’s bug bounty program.

Update now

All versions of the Server and Data Center released after 6.10.17 are affected, meaning that all instances running any versions between 7.0.0 and 8.3.0 inclusive are vulnerable.

Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.

A blog post reads: “A temporary mitigation step is to turn off public repositories globally by setting as this will change this attack vector from an unauthorized attack to an authorized attack.”

YOU MAY ALSO LIKE LastPass flags security incident after attackers stole source code, technical information

Related news

Bitbucket 7.0.0 Remote Command Execution

Bitbucket version 7.0.0 suffers from a remote command execution vulnerability.

Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center,

Actively exploited vulnerability in Bitbucket Server and Data Center

Categories: Exploits and vulnerabilities Categories: News Tags: Atlassian Tags: Bitbucket Tags: git Tags: CVE-2022-36804 Tags: RCE Tags: read permission International cybersecurity authorities are warning about the active exploitation of a vulnerability in Bitbucket Server and Data Center (Read more...) The post Actively exploited vulnerability in Bitbucket Server and Data Center appeared first on Malwarebytes Labs.

CISA Warns of Hackers Exploiting Critical Atlassian Bitbucket Server Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian's Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary

Bitbucket Git Command Injection

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center

Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations. Tracked as CVE-2022-36804 (CVSS score: 9.9), the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests. “An

CVE-2022-36804: [BSERV-13438] Critical severity command injection vulnerability - CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig