DIVD-2022-00060 - Command Injection vulnerability in Bitbucket Server and Data Center
|Case lead||Melvin Boers|
|Author||Max van der Horst|
|Product||Bitbucket Server, Bitbucket Data Center|
|Versions||v7.0 to v7.5, v7.6.0 to v7.6.18, v7.7 to v7.16, v7.17.0 to v7.17.11, v7.18 to v7.20, v7.21.0 to v7.21.5 and if `mesh.enabled` is set to `false` in `bitbucket.properties`, v8.0 to v8.4.1.|
|Recommendation||Upgrade your affected installations to one of the fixed versions listed by Atlassian in their Security Advisory.|
|Workaround||If upgrading is not an option, a temporary mitigation step is to disable the Public Signup option. This changes the attack vector from unauthenticated to authenticated.|
|Last modified||13 Mar 2023 10:51|
There is a command injection vulnerability in Bitbucket Server and Data Center that leverages environment variables execute code on the system. Atlassian Cloud sites are not affected by this vulnerability. There are multiple affected versions, and in their Security Advisory, Atlassian recommends to upgrade to one of the patched versions.
If upgrading is not possible, disabling the Public Signup option changes the attack vector from unauthenticated to authenticated. Doing so lowers the risk of exploitation. Bitbucket Server and Data Center instances running PostgreSQL are not affected.
What you can do
We advise you to upgrade your instance to one of the listed patched versions in the Security Advisory. If doing so is not possible, disabling the Public Signup option temporarily narrows down the attack vector of the vulnerability.
What we are doing
We are actively scanning the internet for Bitbucket instances that have not yet upgraded to a patched version and will notify system owners via the listed abuse contacts.
|17 Nov 2022||DIVD starts tracking this vulnerability|
|22 Nov 2022||DIVD creates a method to fingerprint servers for this vulnerability|
|26 Nov 2022||DIVD starts a first scan to find vulnerable parties|
|26 Nov 2022||First version of this case file|
|08 Dec 2022||DIVD sends first emails to parties that remain vulnerable.|
|18 Jan 2023||DIVD conducts a rescan|
|20 Jan 2023||DIVD sends a second round of notifications.|
|07 Mar 2023||DIVD sends a third and final round of notifications.|
|13 Mar 2023||Case closed.|