bitvoodoo Advisories
Space shortcuts
Space Tools
bitvoodoo Advisories BVADVIS
Skip to end of metadata
Go to start of metadata

Contents

Date

 

Product
  • Bitbucket Server

  • Bitbucket Data Center

VulnerabilityCritical
CVECVE-2022-36804
Official linkhttps://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html

Critical Severity Command Injection Vulnerability - CVE-2022-36804

Dear customer,

on the 24th of August 2022 at 7 PM CEST, Atlassian issued a Security Advisory for Bitbucket Server and Bitbucket Data Center.

Atlassian Cloud sites are not affected. If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

What you need to know

This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

Affected Versions

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

Fixed Versions

Supported Version

Bug Fix Release

Bitbucket Server and Data Center 7.6

7.6.17 (LTS) or newer

Bitbucket Server and Data Center 7.17

7.17.10 (LTS) or newer

Bitbucket Server and Data Center 7.21

7.21.4 (LTS) or newer

Bitbucket Server and Data Center 8.0

8.0.3 or newer

Bitbucket Server and Data Center 8.1

8.1.3 or newer

Bitbucket Server and Data Center 8.2

8.2.2 or newer

Bitbucket Server and Data Center 8.3

8.3.1 or newer

What should I do?


You use Bitbucket Server or Data Center in a version listed in Affected Versions.

Update

Update to a version listed in Fixed Versions.

bitvoodoo recommends using the latest LTS releases of Bitbucket.

Bitbucket Mesh

If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with Bitbucket Data Center version, please check the  compatibility matrix . You can download the corresponding version from the download center.

If you are unsure if your Bitbucket instance has Bitbucket Mesh configured, as a user with system administration privileges navigate to  Administration > Bitbucket Mesh, this page will list Mesh nodes each of which will need to be upgraded.  If the list is empty, your instance does not have Mesh configured and this extra step is not required.

Workaround

To remediate this vulnerability, update each affected product installation to a fixed version listed above.

If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repos globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.

You use Bitbucket Cloud.

You are not affected by this Security Advisory.

No need for actions





Support

If you still have questions or concerns regarding this advisory, please contact the bitvoodoo support via support.bitvoodoo.ch.


bitvoodoo Advisories BVADVIS