Atlassian has published a security advisory alerting Bitbucket Server and Data Centre users to a critical vulnerability (9.9 out of 10 on the CVSS scale) that attackers could use to execute arbitrary code.
Let me remind you that we also talked about the fact that Miners abuse GitHub infrastructure, and also that Hackers Attack PyPI Package Developers.The developers write that the CVE-2022-36804 problem appeared in version 7.0.0 of Bitbucket Server and Data Center. The bug is described as a command injection vulnerability that can be exploited using specially crafted HTTP requests.
The issue, discovered by information security expert Max Garrett, alias @TheGrandPew, affects all versions of Bitbucket Server and Datacenter released after 6.10.17, including 7.0.0 and newer:
- Bitbucket Server and Datacenter 7.6;
- Bitbucket Server and Datacenter 7.17;
- Bitbucket Server and Datacenter 7.21;
- Bitbucket Server and Datacenter 8.0;
- Bitbucket Server and Datacenter 8.1;
- Bitbucket Server and Datacenter 8.2;
- Bitbucket Server and Datacenter 8.3.
Versions in which the problem is fixed: 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2 and 8.3.1.
As a temporary security measure (in case patches cannot be applied immediately), Atlassian recommends disabling public repositories with feature.public.access=false to prevent unauthorized users from exploiting the vulnerability. However, an attacker with a user account can still succeed in an attack.
Garrett has already promised on Twitter that he will release a PoC exploit for CVE-2022-36804 in 30 days, but in the meantime, he gives administrators time to install available patches. At the same time, Garrett warns that the reverse engineering of the Atlassian patch is unlikely to be too difficult for experienced hackers, so attacks on a fresh vulnerability could begin even before the PoC is published.