HomePentest-Tools.com Logo

Bitbucket Server & Data Center - Remote Code Execution (CVE-2022-36804)

Severity
CVSSv3 Score
8.8
Vulnerability description

Bitbucket server is affected by a Remote Code Execution vulnerability located in multiple API endpoints. The root cause of this vulnerability is the lack of input sanitization, attackers being able to add extra arguments in the request URI by using NULL bytes.

Risk description

The risk exists that a remote unauthenticated attacker with access to a public repository or an authenticated attacker with read permissions to a private repository could exploit this vulnerability to execute arbitrary code on the vulnerable Bitbucket server by sending maliciously crafted HTTP requests.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Upgrading the Bitbucket Server to a version higher or equal to 8.3.1 or choosing any other patched version from the advisory removes the vulnerability.

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Aug 2022
Published at
Updated at
Software Type
Collaboration software
Vendor
Atlassian
Product
Server