Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HAtlassian Bitbucket
APPAtlassian8.3.07.7.0 – 7.17.10 (bez)7.18.0 – 7.21.4 (bez)7.0.0 – 7.6.17 (bez)8.1.0 – 8.1.3 (bez)8.2.0 – 8.2.2 (bez)8.0.0 – 8.0.3 (bez)
CISA KEV — detailsi
- Vendori
- Atlassian ↗
- Producti
- Bitbucket Server and Data Center
- Added to KEVi
- September 30, 2022
- Remediation deadline (US Federal)i
- October 21, 2022(overdue)
Apply updates per vendor instructions.
Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.
Related vulnerabilities
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An...
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Fil...
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x...
Atlassian Bitbucket Data Center licensed instances starting with version 5.13.0 before 5.13.6 (the fixed versi...
In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 (the fixed version for 4.13....