Atlassian issued a security alert for its Bitbucket Server and Datacenter solution. A vulnerability allows hackers to execute arbitrary code on affected instances.

Bitbucket is a Git-based code tool for hosting, management and collaboration. The tool integrates with Atlassian’s Jira and Trello solutions. The vulnerability found was dubbed CVE-2022-36804 and allows command injection into various API endpoints used by the tool.

Hackers with public repository access and read permissions for private Bitbucket repositories are able to execute arbitrary code by simply sending a malicious HTTP request to the target repository. Atlassian discovered the vulnerability through its Bug Bounty program.

All versions between 7.0 and 8.3 are vulnerable

Atlassian indicates that the vulnerability affects all Bitbucket Server and Datacenter versions later than 6.10.17y. This includes versions 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2 and 8.3.1. Atlassian said the cloud-based versions of Bitbucket Server and Datacenter aren’t affected by the vulnerability. These versions reside on instances hosted by Atlassian.

Fixes released

Atlassian released a number of fixes for various versions. According to Atlassian, customers who cannot implement at this time should temporarily disable public repositories via feature.public.access=false. This should prevent unauthorized users from accessing instances. Authorized users retain access. As a result, instances remain vulnerable to hackers that have authorized accounts.

Tip: Atlassian warns of vulnerabilities in nearly every product