DIVD-2022-00060 - Command Injection vulnerability in Bitbucket Server and Data Center

Our reference DIVD-2022-00060
Case lead Melvin Boers
Author Max van der Horst
Researcher(s)
CVE(s)
Product Bitbucket Server, Bitbucket Data Center
Versions v7.0 to v7.5, v7.6.0 to v7.6.18, v7.7 to v7.16, v7.17.0 to v7.17.11, v7.18 to v7.20, v7.21.0 to v7.21.5 and if `mesh.enabled` is set to `false` in `bitbucket.properties`, v8.0 to v8.4.1.
Recommendation Upgrade your affected installations to one of the fixed versions listed by Atlassian in their Security Advisory.
Workaround If upgrading is not an option, a temporary mitigation step is to disable the Public Signup option. This changes the attack vector from unauthenticated to authenticated.
Status Closed
Last modified 13 Mar 2023 10:51 CET

Summary

There is a command injection vulnerability in Bitbucket Server and Data Center that leverages environment variables execute code on the system. Atlassian Cloud sites are not affected by this vulnerability. There are multiple affected versions, and in their Security Advisory, Atlassian recommends to upgrade to one of the patched versions.

If upgrading is not possible, disabling the Public Signup option changes the attack vector from unauthenticated to authenticated. Doing so lowers the risk of exploitation. Bitbucket Server and Data Center instances running PostgreSQL are not affected.

What you can do

We advise you to upgrade your instance to one of the listed patched versions in the Security Advisory. If doing so is not possible, disabling the Public Signup option temporarily narrows down the attack vector of the vulnerability.

What we are doing

We are actively scanning the internet for Bitbucket instances that have not yet upgraded to a patched version and will notify system owners via the listed abuse contacts.

Timeline

Date Description
17 Nov 2022 DIVD starts tracking this vulnerability
22 Nov 2022 DIVD creates a method to fingerprint servers for this vulnerability
26 Nov 2022 DIVD starts a first scan to find vulnerable parties
26 Nov 2022 First version of this case file
08 Dec 2022 DIVD sends first emails to parties that remain vulnerable.
18 Jan 2023 DIVD conducts a rescan
20 Jan 2023 DIVD sends a second round of notifications.
07 Mar 2023 DIVD sends a third and final round of notifications.
13 Mar 2023 Case closed.
gantt title DIVD-2022-00060 - Command Injection vulnerability in Bitbucket Server and Data Center dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00060 - Command Injection vulnerability in Bitbucket Server and Data Center (116 days) :2022-11-17, 2023-03-13 section Events DIVD starts tracking this vulnerability : milestone, 2022-11-17, 0d DIVD creates a method to fingerprint servers for this vulnerability : milestone, 2022-11-22, 0d DIVD starts a first scan to find vulnerable parties : milestone, 2022-11-26, 0d First version of this case file : milestone, 2022-11-26, 0d DIVD sends first emails to parties that remain vulnerable. : milestone, 2022-12-08, 0d DIVD conducts a rescan : milestone, 2023-01-18, 0d DIVD sends a second round of notifications. : milestone, 2023-01-20, 0d DIVD sends a third and final round of notifications. : milestone, 2023-03-07, 0d Case closed. : milestone, 2023-03-13, 0d

More information