Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-36804
CVE-2022-36804:
Bitbucket vulnerability analysis and mitigation
Overview
CVE-2022-36804 is a critical command injection vulnerability affecting Atlassian Bitbucket Server and Data Center. The vulnerability was discovered in versions released after 6.10.17, including all versions from 7.0.0 to 8.3.0. This security flaw was discovered by TheGrandPew through Atlassian's Bug Bounty program and was disclosed on August 24, 2022 (Atlassian Advisory).
Technical details
The vulnerability exists in multiple API endpoints of Bitbucket Server and Data Center, specifically involving the way the underlying process creation library processes null bytes. The issue was found in the /rest/api/latest/projects/PROJECTKEY/repos/REPO/archive endpoint, which is responsible for streaming repository contents. The vulnerability allows for argument injection through the use of null bytes, ultimately enabling command execution through the --exec argument for git (Assetnote Research). The vulnerability carries a CVSSv3 score of 9.9, categorized as Critical severity (Rapid7 Blog).
Impact
The vulnerability allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This means that attackers could potentially gain complete control over affected systems through remote code execution (NVD Report).
Mitigation and workarounds
Atlassian has released patched versions for all affected installations. The fixed versions include: 7.6.17 (LTS) or newer, 7.17.10 (LTS) or newer, 7.21.4 (LTS) or newer, 8.0.3 or newer, 8.1.3 or newer, 8.2.2 or newer, and 8.3.1 or newer. For organizations unable to upgrade immediately, a temporary mitigation involves disabling public repositories globally by setting feature.public.access=false, though this only changes the attack vector from unauthorized to authorized access (Atlassian Advisory).
Community reactions
The vulnerability received significant attention from the security community due to its critical severity and ease of exploitation. Atlassian responded promptly to the disclosure, issuing patches and a comprehensive advisory. The discovery was made through Atlassian's Bug Bounty program, with the researcher being awarded $6,000 for the finding (Assetnote Research).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management