Critical command injection vulnerability discovered in Bitbucket Server and Data Center
Reading Time: 1 Minute
A critical command injection vulnerability in a Bitbucket product could allow an attacker to execute arbitrary code, researchers warn.
Bitbucket is a Git-based source code repository hosting service owned by Atlassian.
The flaw, tracked as CVE-2022-36804, is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.
Read more of the latest news about security vulnerabilities
This vulnerability could allow remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
It was discovered by researcher ‘The Grand Pew’, who reported it through Bugcrowd’s bug bounty program.
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
Update now
All versions of the Server and Data Center released after 6.10.17 are affected, meaning that all instances running any versions between 7.0.0 and 8.3.0 inclusive are vulnerable.
Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.
A blog post reads: “A temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack.”
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: portswigger.net