Two of the Atlassian products – BitBucket and Data Center are infested with a bug, that’d let attackers take over the device by injecting arbitrary code remotely.

Though the security researcher who discovered this was awarded a bounty, he’s decided to share the Proof of Concept exploit of this bug soon, which may spike the attacks against vulnerable systems. Thus Atlassian has made a patch available, and urges users to update.

Arbitrary Code Execution in Atlassian Products

Bitbucket from Atlassian is a Git-based code hosting and collaboration tool used mostly by enterprises. Whereas the Data Center is a deployment option for any of your Atlassian projects with high scaling ability.

Both these products are found to have a critical RCE security vulnerability, tracked as CVE-2022-36804. Any hacker exploiting this bug can effectively inject their malicious commands into the victim’s machines remotely.

This was given a severity score of 9.9/10, considering the bug was in multiple API endpoints of the software products. Warning the public of its consequences, Atlassian released a security advisory today. And it noted as;

“An attacker with access to a public repository or with reading permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”

All the Bitbucket Server and Data centers running on versions 6.10.17 to 8.3.0 are affected by this, says Atlassian. It also released a patch too, with the secured versions now being 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1.

Unfortunately, there’s no patch for the older versions, like the 6.x branch, since they’re unsupported. As they don’t have any official fix, Atlassian asked customers running on those versions to try the partial mitigation by turning off public repositories using “feature.public.access=false”.

While it blocks unauthorized users from accessing your projects, hackers with compromised credentials of any authorized users may still get in to perform attacks.

Also, people accessing their Bitbucket server via domains aren’t impacted since they’re hosted by the vendor. The security researcher who found this vulnerability – Max Garrett – was awarded a $6,000 bug bounty by Atlassian.

Yet, he promised to release a proof-of-concept (POC) exploit for the bug in 30 days, which should be ample for the customers to patch up their systems.


Please enter your comment!
Please enter your name here