8.8
CVSSv3

CVE-2022-36804

Published: 25/08/2022 Updated: 22/09/2022
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

Vulnerability Summary

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 prior to 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

atlassian bitbucket 8.3.0

atlassian bitbucket

Mailing Lists

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so Supplying NULL bytes to the request ...

Github Repositories

Atlassian Bitbucket RCE PoC - CVE-2022-36804 This repo contains a simple PoC script for Atlassian Bitbucket's remove code execution vulnerability You can simply run this script via following commands: echo 'bitbucketredactedcom' | python3 cve-2022-36804py ``` Or you can create a targets file from another tools like (subfinder, sublist3r or go-dork etc)

CVE-2022-36804 A loader for bitbucket 2022 rce (cve-2022-36804)

CVE-2022-36804-POC A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances affected versions All versions of Bitbucket Server and Data Center released before versions 7617, 71710, 7214, 803, 812, 822, and 831 are vulnerable POC: the poc

bitbucket-cve-2022-36804 CVE-2022-36804 Atlassian Bitbucket Command Injection Vulnerability

CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection) This attack generally requires public repos to be enabled, however session cookies are also compatible with this exploit HowTo Install git clone githubcom/BenHays142/CVE-2022-36804-PoC-Exploitgit; cd CVE-2022-36804-PoC-Exploit python3 -m pip install -

CVE-2022-36804-POC A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances You can use with list of ips and single command, If you want to use with huge list of ips increase the thread count inside the script(not more than 1000) Script is available for

Original Project githubcom/BenHays142/CVE-2022-36804-PoC-Exploit CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection) This attack generally requires public repos to be enabled, however session cookies are also compatible with this exploit Note: this exploit includes automatic repo detection which is hand

CVE-2022-36804-POC A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances

CVE-2022-36804-POC A critical vulnerability (CVE-2022-36804) in Atlassian Bitbucket Server and Data Center could be exploited by unauthorized attackers to execute malicious code on vulnerable instances You can use with list of ips and single command, If you want to use with huge list of ips increase the thread count inside the script(not more than 1000) Script is available for

Original Project githubcom/BenHays142/CVE-2022-36804-PoC-Exploit CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection) This attack generally requires public repos to be enabled, however session cookies are also compatible with this exploit Note: this exploit includes automatic repo detection which is hand

CVE-2022-36804-POC Bitbucket CVE-2022-36804 unauthenticated remote command execution

CVE-2022-36804-PoC Multithreaded exploit script for CVE-2022-36804 affecting (most) BitBucket versions <831 See the full advisory here jiraatlassiancom/browse/BSERV-13438 All credit to TheGrandPew for discovery The script will automatically detect public repositories located on bitbucket instances then select a random repository to check or perform the vulner

CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection) This attack generally requires public repos to be enabled, however session cookies are also compatible with this exploit Note: this exploit includes automatic repo detection which is handy if you don't want to manually find open repos yourself How To Inst

CVE-2022-36804-RCE Remote Code Execution exploit for CVE-2022-36804 (BitBucket Server and DataCenter)

CVE-2022-36804-mass-rce Proof of Concept exploit for CVE-2022-36804 affecting BitBucket versions <831

BitBucketKiller Enum, Check Vuln, Exploit BitBucket Enum: Extracts Accessible Projects in the Bit Bucket Server -> Extracts Accessible Repository Slugs in Each Bit Bucket Server Access Archive of Each Repository Slugs in Each Project Check If Command Injection Is Vulnerable -> Exploit with your Command (CVE-2022-36804)

Original Project githubcom/BenHays142/CVE-2022-36804-PoC-Exploit CVE-2022-36804-PoC-Exploit A somewhat reliable PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection) This attack generally requires public repos to be enabled, however session cookies are also compatible with this exploit Note: this exploit includes automatic repo detection which is hand

Recent Articles

Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Grab and deploy this backend update if you offer even repo read access

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild. 
But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9...