A critical command injection vulnerability in a Bitbucket product could allow an attacker to execute arbitrary code, researchers warn.
Bitbucket is a Git-based source code repository hosting service owned by Atlassian.
The flaw, tracked as CVE-2022-36804, is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.
Read more of the latest news about security vulnerabilities
This vulnerability could allow remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
It was discovered by researcher ‘The Grand Pew’, who reported it through Bugcrowd’s bug bounty program.
Update now
All versions of the Server and Data Center released after 6.10.17 are affected, meaning that all instances running any versions between 7.0.0 and 8.3.0 inclusive are vulnerable.
Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.
A blog post reads: “A temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack.”
