• Home
  • |
  • Blog
  • |
  • How to Fix CVE-2022-36804- A Command Injection Vulnerability in Bitbucket Server and Data Center
How to Fix CVE-2022-36804- A Command injection vulnerability in Bitbucket Server and Data Center

Australian software company Atlassian bells users to immediately patch a critical vulnerability, CVE-2022-36804, providing remote hackers with access to a public repository or with read permissions to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. The warning is necessary because attacks with a valid Bitbucket login read-only account could leverage it to perform remote code execution on Bitbucket Server and Data Center. There is a need to fix the issue; therefore, this article will highlight how to Fix CVE-2022-36804- A Command injection vulnerability in Bitbucket Server and Data Center.

A Short Note About Bitbucket:

Bitbucket is a web-based version control repository hosting service owned by Atlassian, for source code and development projects that use either Mercurial (since launch) or Git (since October 2011) revision control systems. Bitbucket offers both commercial plans and free accounts. It has a sister services, Bitbucket Cloud, Bitbucket Server, and Bitbucket Data Center, running on customer’s premises.

Bitbucket is similar to GitHub and GitLab. All three offer free accounts with unlimited private repositories (although Bitbucket has a limit of five users for free plans), as well as paid accounts for users and organizations. Paid plans vary by the number of users, features, and support.

Bitbucket integrates with other Atlassian products such as JIRA, HipChat, and Bamboo. Bitbucket also offers a REST API that can be used to access repositories, users, groups, and events from outside of the Bitbucket web interface.

Some of the features offered by Bitbucket are:

  • Mercurial and Git support
  • Web-based interface
  • Unlimited private repositories
  • Integration with other Atlassian products

Bitbucket Cloud:

In September 2010, Atlassian launched Bitbucket Cloud, a service that allows users to host their Mercurial and Git repositories in the cloud. Bitbucket Cloud is a cloud-based version of Bitbucket Server hosted on Atlassian cloud servers that can be accessible via a bitbucket.org domain from anywhere over the internet.

Bitbucket Server:

Bitbucket Server is a self-hosted version of Bitbucket Cloud that runs on customer servers. Bitbucket Server is available for download from the Atlassian website. Bitbucket Server requires a MySQL database and an application server such as Tomcat, JBoss, or WebLogic.

Bitbucket Data Center:

Bitbucket Data Center is a version of Bitbucket Server designed for organizations with large numbers of users and repositories. Bitbucket Data Center is available as a downloadable virtual appliance from the Atlassian website. The appliance includes Bitbucket Server, MySQL, Apache, and all of the other software required to run Bitbucket Data Center.

Summary of CVE-2022-36804:

This is a command injection vulnerability in Bitbucket Server and Data Center, which is stemmed from REST API service that can be used to access repositories, users, groups, and events from outside of the Bitbucket web interface.

The issue is being tracked as CVE-2022-36804 is rated with a severity level of this flaw as ‘critical’ as per Atlassian. Let’s see some information about the vulnerability and how to fix the CVE-2022-36804 vulnerability in the coming sessions.

Associated CVE IDCVE-2022-36804
DescriptionA Command injection vulnerability in Bitbucket Server and Data Center
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PRLow
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
Availability (a)High

Atlassian said, “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” 
– Atlassian

Important points to know about CVE-2022-36804 (A Command injection vulnerability in Bitbucket Server and Data Center):

  1. The flaw affects only self-hosted products: Bitbucket Server and Bitbucket Data Center.
  2. Bitbucket Cloud is not vulnerable, and no action is required.
  3. This can be easily exploited by sending a malicious HTTP request.
  4. This vulnerability is only limited to Bitbucket. Other Atlassian products like Crowd, Jira, Confluence, or Bamboo are not vulnerable to this flaw.

Bitbucket Server And Data Center Versions Affected By CVE-2022-36804:

This issue affects all the Bitbucket Server and Data Center versions from v7.0.0 to v8.3.0. Here is the full list of versions affected by CVE-2022-36804.

7.0.0, 7.0.1, 7.2.0, 7.0.2, 7.1.1, 7.0.3, 7.1.2, 7.0.4, 7.1.3, 7.2.1, 7.3.0, 7.0.5, 7.1.4, 7.2.2, 7.2.3, 7.2.4, 7.4.0, 7.3.1, 7.2.5, 7.3.2, 7.4.1, 7.5.0, 7.4.2, 7.5.1, 7.6.0, 7.2.6, 7.5.2, 7.6.1, 7.7.0, 7.8.0, 7.7.1, 7.6.2, 7.9.0, 7.8.1, 7.9.1, 7.10.0, 7.6.3, 7.6.4, 7.10.1, 7.12.0, 7.11.1, 7.6.5, 7.11.2, 7.6.6, 7.13.0, 7.12.1, 7.6.7, 7.14.0, 7.13.1, 7.15.0, 7.14.1, 7.6.8, 7.14.2, 7.6.9, 7.15.1, 7.16.0, 7.15.2, 7.17.0, 7.18.0, 7.16.1, 7.6.10, 7.17.1, 7.17.2, 7.18.1, 7.6.11, 7.16.2, 7.17.3, 7.18.2, 7.20.0, 7.18.3, 7.17.4, 7.15.3, 7.16.3, 7.6.12, 7.6.13, 7.19.2, 7.18.4, 7.17.5, 7.19.3, 7.6.14, 8.0.0, 7.21.0, 7.17.6, 7.19.4, 7.20.1, 7.21.1, 7.6.15, 7.17.7, 7.19.5, 7.20.2, 7.17.8, 8.1.0, 8.2.0, 8.0.1, 8.1.1, 7.6.16, 7.21.2, 7.17.9, 7.20.3, 7.21.3, 8.0.2, 8.1.2, 8.2.1, 8.3.0.

If you have been using the Bitbucket Mesh nodes, then you should see the corresponding version of Mesh those are prone to this issue. Please check the compatibility matrix to match the Mesh versions with the corresponding Data Center version. If you are not sure that Bitbucket Mesh is configured, then login to your Bitbucket instance with an administrator account. Navigate to Administration > Bitbucket Mesh. You will be greeted with a list of Mesh nodes if your Bitbucket instance is configured with Mesh. If not, you can leave this step.

Bitbucket Data Center versionMesh version
8.3.11.3.1
8.3.01.3.0
8.2.21.2.2
8.2.11.2.1
8.2.01.2.0
8.1.31.1.5
8.1.21.1.4
8.1.01.1.0
8.0.31.0.5
8.0.21.0.4
8.0.01.0.0

How to Fix CVE-2022-36804- A Command Injection Vulnerability in Bitbucket Server and Data Center?

Atlassian responded to this flaw by releasing patched versions of Bitbucket Server and Data Center. Atlassian recommends upgrading vulnerable versions to any of the fixed versions. Please see the table below to know the fixed versions of Bitbucket Server and Data Center. If you want to download the latest versions of Bitbucket Server and Data Center, you can get it from the download center.

If in case, you are not in a position to upgrade Bitbucket Server and Data Center any time soon, you should disable the public access of repositories globally by setting feature.public.access=false until you permanently fix the issue. This would work as a roadblock and soften the attack intensity. This doesn’t mean you are covered from the attack. This just hardens the attack vector from an unauthorized to an authorized attack.

Supported VersionBug Fix Release
Bitbucket Server and Data Center 7.67.6.17 (LTS) or newer
Bitbucket Server and Data Center 7.177.17.10 (LTS) or newer
Bitbucket Server and Data Center 7.217.21.4 (LTS) or newer
Bitbucket Server and Data Center 8.08.0.3 or newer
Bitbucket Server and Data Center 8.18.1.3 or newer
Bitbucket Server and Data Center 8.28.2.2 or newer
Bitbucket Server and Data Center 8.38.3.1 or newer

By considering all these aspects, it is clear that even if your repositories are not public, your instances are prone to attacks unless you use the cloud version of Bitbucket. Upgradation is the only way to fix the CVE-2022-36804 vulnerability. Let’s see how to Upgrade Bitbucket Server and Data Center in the coming section.

How to Upgrade Bitbucket Server and Data Center?

Follow these steps to upgrade your Bitbucket Server. If you want to know the upgradation procedure of the data center, you can visit here. There is an alternate way to upgrade Bitbucket without downtime. Click here to learn the official procedure.

  1. Bitbucket Data Center upgrade guide
  2. Bitbucket Server upgrade guide
  3. Upgrade Bitbucket without downtime

Before you start, you need to ask the answer yourselves to the following question. If not sure, create a test environment and run the tests as many times you want until you are clear with all answers to your questions. Additionally, don’t forget to do pre-checks and take backup once you are ready for the upgrade. 

  • Which upgrade method is the best option?
  • Has Atlassian’s supported platform changed?
  • Are you eligible to upgrade?
  • Do you need to make changes to your environment?

Time needed: 30 minutes.

How to Upgrade Bitbucket Server and Data Center?

  1. Download the Bitbucket Server upgrade installer file

    Download the latest versions of Bitbucket Server from the download center.

  2. Stop the Bitbucket Server application

    To stop Bitbucket Server application from Linux CLI, change to the <Bitbucket Server installation directory> and run this below command:

    # bin/stop-bitbucket.sh

  3. Run the downloaded installer

    Change to the directory where you downloaded the Bitbucket Server installer file then execute this command to make the installer executable: 

    # chmod +x atlassian-bitbucket-x.x.x-x64.bin

    Run this command to execute the installer file.

    # sudo ./atlassian-bitbucket-x.x.x-x64.bin

  4. Complete the installation/upgradation procedure

    At the ‘Welcome’ step, choose the type of instance to upgrade and at the ‘Select Bitbucket Server Home’ step, select your existing home directory. Proceed with the remaining installer steps to complete the installation/upgradation procedure.

We hope this post will help you know how to Fix CVE-2022-36804- A Command injection vulnerability in Bitbucket Server and Data Center. Please share this post if you find this interested. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.