Bitbucket Server & Data Center - Remote Code Execution (CVE-2022-36804)
- Severity
- CVSSv3 Score
- 8.8
- Vulnerability description
Bitbucket server is affected by a Remote Code Execution vulnerability located in multiple API endpoints. The root cause of this vulnerability is the lack of input sanitization, attackers being able to add extra arguments in the request URI by using
NULL
bytes.- Risk description
The risk exists that a remote unauthenticated attacker with access to a public repository or an authenticated attacker with read permissions to a private repository could exploit this vulnerability to execute arbitrary code on the vulnerable Bitbucket server by sending maliciously crafted HTTP requests.
- Exploit capabilities
Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.
- Recommendation
Upgrading the Bitbucket Server to a version higher or equal to 8.3.1 or choosing any other patched version from the advisory removes the vulnerability.
- References
https://nvd.nist.gov/vuln/detail/CVE-2022-36804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Aug 2022
- Published at
- Updated at
- Software Type
- Collaboration software
- Vendor
- Atlassian
- Product
- Server