DIVD-2022-00053 - Atlassian Bitbucket Server - CVE-2022-36804

Our reference DIVD-2022-00053
Case lead Ralph Horn
Author Pepijn van der Stap
Researcher(s)
CVE(s)
Product Atlassian Bitbucket Server
Versions 7.0.0, 7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.21.0, 7.17.6, 7.19.4, 7.20.1, 7.21.1, 7.6.15, 7.17.7, 7.19.5, 7.20.2, 7.17.8, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.6.16, 7.21.2, 7.17.9, 7.20.3, 7.21.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0
Recommendation Update to 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, 8.3.1 or higher.
Workaround set feature.public.access to false in the bitbucket.properties configuration file.
Status Closed
Last modified 31 May 2023 20:24

Summary

On 24 August 2022, Atlassian released a security advisory for CVE-2022-36804.

The vulnerability allows an unauthenticated attacker to execute arbitrary code on a Bitbucket Server instance. This vulnerability can only be exploited when at least one repository is set to ‘public access’.

All versions released from 7.0.0 and newer are affected. Every Bitbucket Server that uses a version between 7.0.0 and 8.3.0 is affected by this vulnerability.

It is very likely that this vulnerability is actively exploited, since the exploit code is readily available.

What you can do

Users with these vulnerable versions should update as soon as possible. Bitbucket’s vendor (Atlassian) released updates for all affected versions.

Review whether your public repositories are set to public on purpose or by accident. Review this on the repository details page and change the visibility of the repository if needed.

If you had a vulnerable version with a public repository, we recommend to check your server logs for any suspicious activity.

In general, we recommend ACLs to limit access to the Bitbucket environment to trusted users.

What we are doing

We are actively scanning the internet for vulnerable Bitbucket instances and will notify system owners via the listed abuse contacts.

Timeline

Date Description
24 Aug 2022 Atlassian released a security advisory for CVE-2022-36804.
21 Sep 2022 DIVD starts scanning for vulnerable Bitbucket instances.
22 Sep 2022 DIVD starts first round of notifications.
11 Oct 2022 DIVD starts second round of notifications.
11 Nov 2022 DIVD starts third round of notifications.
22 Feb 2023 Case closed.
gantt title DIVD-2022-00053 - Atlassian Bitbucket Server - CVE-2022-36804 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00053 - Atlassian Bitbucket Server - CVE-2022-36804 (154 days) :2022-09-21, 2023-02-22 section Events Atlassian released a security advisory for CVE-2022-36804. : milestone, 2022-08-24, 0d DIVD starts scanning for vulnerable Bitbucket instances. : milestone, 2022-09-21, 0d DIVD starts first round of notifications. : milestone, 2022-09-22, 0d DIVD starts second round of notifications. : milestone, 2022-10-11, 0d DIVD starts third round of notifications. : milestone, 2022-11-11, 0d Case closed. : milestone, 2023-02-22, 0d

More information