← Retour aux CVEs
CVE-2022-36804
HIGHCISA KEV8.8
Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
Details CVE
Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie8/25/2022
Derniere modification10/24/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurAtlassian
ProduitBitbucket Server and Data Center
Nom vulnerabiliteAtlassian Bitbucket Server and Data Center Command Injection Vulnerability
Date ajout KEV2022-09-30
Date limite remediation2022-10-21
Utilise dans ransomwareUnknown
Produits affectes
atlassian:bitbucket
Faiblesses (CWE)
CWE-78CWE-88CWE-78CWE-88
References
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html(security@atlassian.com)
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html(security@atlassian.com)
https://jira.atlassian.com/browse/BSERV-13438(security@atlassian.com)
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/BSERV-13438(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.