A critical vulnerability has been identified in multiple versions of Atlassian’s Bitbucket Server and Bitbucket Data Center. A recent advisory released by Bitbucket Support explains that all versions after 6.10.17, including 7.0.0 and later, have been affected by this flaw. However, this vulnerability is not present in Atlassian Cloud sites, so users who access Bitbucket online using the Atlassian-hosted site bitbucket.org are not affected. This flaw has been given a ‘critical’ severity rating, and a CVSS score of 9.9/10. 

Tracked as CVE-2022-36804, this command injection vulnerability could allow remote attackers to execute arbitrary code. The flaw is found in multiple API endpoints of the server and data centre, where the Bitbucket application communicates with the web. To exploit this vulnerability, attackers need to gain access to a public or private Bitbucket repository, with read permissions. Attackers can then send a malicious HTTP request to the vulnerable endpoint, allowing them to execute arbitrary code.  

An official patch has been released by Atlassian, so users are encouraged to update to one of these fixed versions as soon as possible. Fixed versions include 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, 8.3.1, and any newer versions released. For any users who are unable to immediately apply an update, a temporary step can be taken to mitigate the risk of this vulnerability being exploited. Users can turn off public repositories globally, by navigating to the bitbucket.properties file in the home directory, and setting the feature.public.access property to feature.public.access=false. However, this is not a permanent or complete fix, as this only prevents unauthenticated attackers from performing this exploit. Attackers with an authorised user account could still perform this attack with this mitigation in place, so the best protection against exploit of this vulnerability is to apply the most recent updates.  

On the 25th August, the security researcher who discovered this vulnerability has stated they will release proof of concept (PoC) for an exploit of this flaw “in 30 days”. When the PoC is released, an increase in exploitation of this flaw is expected, as more malicious actors will  have access to the information needed to perform the attack. Because of this, users should apply an official update, or take the suggested mitigation steps as soon as possible, and before this 30-day window closes.