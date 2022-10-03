The U.S. Cybersecurity and Infrastructure Security Agency added BitBucket Server and Data Center vulnerability to its list.

The U.S. Cybersecurity and Infrastructure Security Agency added a vulnerability that impacts Atlassian‘s Bitbucket Server and Data Center to its Known Exploited Vulnerabilities Catalog, urging users to patch the critical vulnerability that is under attack. The vulnerability, tracked as CVE-2022-36804, is a command injection vulnerability, allowing attackers to gain arbitrary code execution by sending a specially crafted HTTP request.

Patched in August

On 24 August, Atlassian published an advisory about the critical vulnerability. The company stated that the vulnerability was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected. All versions between 7.0.0 and 8.3.0 are affected.

By exploiting the vulnerability, the attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request. The vulnerability is fixed in versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1 or newer.

Atlassian also published a mitigation for the vulnerability. Users who can’t upgrade their system to a fixed version can turn off public repositories globally by setting feature.public.access=false. It changes this attack vector from an unauthorized attack to an authorized attack.