Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances.
Bitbucket is a Git-based code hosting, management, and collaboration tool, with Jira and Trello integration.
The latest flaw is tracked as CVE-2022-36804 and is a command injection in multiple API endpoints of the software product. It has received a CVSS severity score of 9.9 out of a maximum of 10.0, making this a critical vulnerability that should be patched immediately.
“An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request,” explains Atlassian’s advisory.
The vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.
The versions that address the problem are 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1. Unfortunately, older and unsupported versions of the 6.x branch will not receive a fix for this flaw.
Those unable to apply the security updates are advised to apply temporary partial mitigation by turning off public repositories using “feature.public.access=false”.
This way, the instances won’t be accessible to unauthorized users; however, authorized users, like threat actors who have compromised valid credentials, may still perform attacks.
Atlassian notes that those accessing Bitbucket via bitbucket.org domains aren’t impacted by the critical RCE, as the vendor hosts those instances.
PoC is on its way
The security researcher who discovered CVE-2022-36804 back in July 2022, Max Garrett, reported it to Atlassian via the firm’s bug bounty program on Bugcrowd and received $6,000 for his finding.
Yesterday, the young researcher promised on Twitter to release a proof-of-concept (PoC) exploit for the bug in 30 days, giving system admins a comfortable time margin to apply the available fixes.
The release of the PoC is bound to cause a spike in active exploitation of the critical RCE flaw by hackers, but there’s no guarantee this won’t happen sooner.
Garrett told BleepingComputer that reverse engineering Atlassian’s patch shouldn’t be too difficult for skillful hackers.
Remote code execution is the most potent of all vulnerability types, enabling attackers to do extensive damage while bypassing all security measures, so the motive is there.
That said, Bitbucket Server and Data Center users are advised to apply the available security update or mitigations as soon as possible.