Connect with us

Business

Critical command injection vulnerability discovered in Bitbucket Server and Data Center

Published

on

A critical command injection vulnerability in a Bitbucket product could allow an attacker to execute arbitrary code, researchers warn.

Bitbucket is a Git-based source code repository hosting service owned by Atlassian.

The flaw, tracked as CVE-2022-36804, is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center.

Read more of the latest news about security vulnerabilities

This vulnerability could allow remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.

It was discovered by researcher ‘The Grand Pew’, who reported it through Bugcrowd’s bug bounty program.

Update now

All versions of the Server and Data Center released after 6.10.17 are affected, meaning that all instances running any versions between 7.0.0 and 8.3.0 inclusive are vulnerable.

Users are urged to update to the latest version. For those who cannot, Bitbucket has offered a workaround.

blog post reads: “A temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack.”

Source: https://portswigger.net/daily-swig/critical-command-injection-vulnerability-discovered-in-bitbucket-server-and-data-center

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO