Russian Vulnerability Scanner Database

Back to List

CVE-2022-36804

Scores

EPSS Score

0.9443

CVSS

3.x 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

All CVSS Scores

CVSS 4.0
0.0
CVSS 3.x
8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0
0.0

Description

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

Sources

nvd

CWEs

CWE-78

Related Vulnerabilities

BDU:2022-05364

Exploits

Exploit ID: CVE-2022-36804

Source: cisa

URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Exploit ID: 51040

Source: exploitdb

URL: https://www.exploit-db.com/exploits/51040

Reference Links

http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html
https://jira.atlassian.com/browse/BSERV-13438
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html
https://jira.atlassian.com/browse/BSERV-13438

Vulnerable Software

Type: Configuration

Vendor: atlassian

Product: bitbucket

Operating System: * * *

Trait: 
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "7.6.17",
      "versionStartIncluding": "7.0.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "7.17.10",
      "versionStartIncluding": "7.7.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "7.21.4",
      "versionStartIncluding": "7.18.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "8.0.3",
      "versionStartIncluding": "8.0.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "8.1.3",
      "versionStartIncluding": "8.1.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "8.2.2",
      "versionStartIncluding": "8.2.0",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:atlassian:bitbucket:8.3.0:*:*:*:*:*:*:*",
      "vulnerable": true
    }
  ],
  "operator": "OR"
}

Source: nvd