What is CVE-2022-36804?

CVE-2022-36804 is a command injection vulnerability in Atlassian Bitbucket Server and Data Center.

Which versions of Atlassian Bitbucket Server and Data Center are affected by CVE-2022-36804?

Multiple versions of Atlassian Bitbucket Server and Data Center are affected by CVE-2022-36804, including versions before 7.6.17, before 7.17.10, before 7.21.4, before 8.0.3, before 8.1.3, and before 8.2.2.

What is the severity of CVE-2022-36804?

CVE-2022-36804 has a severity rating of 8.8 (high).

How can I fix CVE-2022-36804?

To fix CVE-2022-36804, it is recommended to update Atlassian Bitbucket Server and Data Center to version 7.6.17 or higher, 7.17.10 or higher, 7.21.4 or higher, 8.0.3 or higher, 8.1.3 or higher, or 8.2.2 or higher.

Where can I find more information about CVE-2022-36804?

You can find more information about CVE-2022-36804 on the Atlassian Jira page: https://jira.atlassian.com/browse/BSERV-13438

Vulnerability/
CVE-2022-36804

Exploited

high

8.8

CWE

25/8/2022

8/8/2023

CVE-2022-36804: Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

First published: Thu Aug 25 2022(Updated: )

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Credit: security@atlassian.com security@atlassian.com

Affected Software	Affected Version	How to fix
Atlassian Bitbucket	>=7.0.0<7.6.17
Atlassian Bitbucket	>=7.7.0<7.17.10
Atlassian Bitbucket	>=7.18.0<7.21.4
Atlassian Bitbucket	>=8.0.0<8.0.3
Atlassian Bitbucket	>=8.1.0<8.1.3
Atlassian Bitbucket	>=8.2.0<8.2.2
Atlassian Bitbucket	=8.3.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-36804?
CVE-2022-36804 is a command injection vulnerability in Atlassian Bitbucket Server and Data Center.
Which versions of Atlassian Bitbucket Server and Data Center are affected by CVE-2022-36804?
Multiple versions of Atlassian Bitbucket Server and Data Center are affected by CVE-2022-36804, including versions before 7.6.17, before 7.17.10, before 7.21.4, before 8.0.3, before 8.1.3, and before 8.2.2.
What is the severity of CVE-2022-36804?
CVE-2022-36804 has a severity rating of 8.8 (high).
How can I fix CVE-2022-36804?
To fix CVE-2022-36804, it is recommended to update Atlassian Bitbucket Server and Data Center to version 7.6.17 or higher, 7.17.10 or higher, 7.21.4 or higher, 8.0.3 or higher, 8.1.3 or higher, or 8.2.2 or higher.
Where can I find more information about CVE-2022-36804?
You can find more information about CVE-2022-36804 on the Atlassian Jira page: https://jira.atlassian.com/browse/BSERV-13438

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
agent/weakness
exploited/true
collector/cisa-known-exploited
source/CISA
agent/software-canonical-lookup
collector/nvd-api
collector/nvd-index
vendor/atlassian
canonical/atlassian bitbucket server and data center
canonical/atlassian bitbucket
version/atlassian bitbucket/7.0.0
version/atlassian bitbucket/7.7.0
version/atlassian bitbucket/7.18.0
version/atlassian bitbucket/8.0.0
version/atlassian bitbucket/8.1.0
version/atlassian bitbucket/8.2.0
version/atlassian bitbucket/8.3.0