← back
CVE-2022-36804

CVE-2022-36804

CVSS 8.8 HIGHEPSS 99.2%● KEVCWE-78CWE-88
In short

Multiple API endpoints in Atlassian Bitbucket Server and Data Center allow attackers with repository read access to execute arbitrary code through malicious HTTP requests. This enables remote code execution on affected systems, which is critical for maintaining server security.

Technical detail

Remote Code Execution (RCE) vulnerability in Bitbucket API endpoints exploitable via crafted HTTP requests (CWE-78, CWE-88). Attack requires only read permissions to a repository; successful exploitation allows arbitrary code execution on the server. Affects unpatched versions across multiple release branches from 7.0.0 through 8.3.0.

Summary generated and translated by AI from the official description.
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Atlassian · Bitbucket Data CenterAtlassian · Bitbucket Server
public PoCs found21
githubgithub.com/notdls/CVE-2022-3680435githubgithub.com/notxesh/CVE-2022-36804-PoC18githubgithub.com/benjaminhays/CVE-2022-36804-PoC-Exploit16githubgithub.com/SystemVll/CVE-2022-3680412githubgithub.com/walnutsecurity/cve-2022-368048githubgithub.com/ColdFusionX/CVE-2022-368047githubgithub.com/kljunowsky/CVE-2022-36804-POC7githubgithub.com/tahtaciburak/cve-2022-368047githubgithub.com/Chocapikk/CVE-2022-36804-ReverseShell4githubgithub.com/khal4n1/CVE-2022-368043githubgithub.com/Vulnmachines/bitbucket-cve-2022-368043githubgithub.com/asepsaepdin/CVE-2022-368040githubgithub.com/JohanGabrielson/bitbucket-test0githubgithub.com/JRandomSage/CVE-2022-36804-MASS-RCE0githubgithub.com/0xEleven/CVE-2022-36804-ReverseShell0githubgithub.com/devengpk/CVE-2022-368040githubgithub.com/imbas007/Atlassian-Bitbucket-CVE-2022-368040githubgithub.com/DanielHallbro/CVE-2022-36804-Bitbucket-RCE-Analysis0exploitdbwww.exploit-db.com/exploits/51040unverifiedcve_referencepacketstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlhttp://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.htmlhttps://jira.atlassian.com/browse/BSERV-13438https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804