9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.026 Low
EPSS
Percentile
90.2%
Update: 2022/04/08 23:00 UTC (Coordinated Universal Time, +0 hours)
h3. Vulnerability Details
Bitbucket Data Center uses the third-party software Hazelcast, which is vulnerable to Java deserialization attacks ([CVE-2022-26133|https://vulners.com/cve/CVE-2016-10750]). Hazelcast provides functionality needed to run Bitbucket Data Center as a cluster. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted request, resulting in arbitrary code execution.
h3. Affected Versions
(i) Bitbucket Server is not affected.
(i) Bitbucket Cloud is not affected.
Both single and multi-node installations of Bitbucket Data Center are affected. Enabling or disabling clustering does not affect whether or not the application is vulnerable.
The following versions are affected:
h3. Fixed Versions
The following versions of Bitbucket Data Center fix this vulnerability:
Find the versions above on ourΒ [downloads page|https://www.atlassian.com/software/bitbucket/download-archives] and use the steps outlined in theΒ [Bitbucket upgrade guide|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html]Β to complete the upgrade.
If you are unable to install a fixed version, refer to the βWorkaroundβ section below.
h3. Workaround
Restrict access to the Hazelcast port by using a firewall or other network access controls. The port only needs to be accessible by other nodes in the Bitbucket or Confluence cluster. Bitbucket Data Center configures Hazelcast to use [TCP port 5701 by default|https://confluence.atlassian.com/bitbucketserver/bitbucket-data-center-requirements-913477100.html].
h3. Acknowledgements
We would like to acknowledge Benny Jacob (SnowyOwl) for reporting this vulnerability.
h3. References
For more information, please refer to [Atlassianβs security advisory|https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html].
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.026 Low
EPSS
Percentile
90.2%