CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center


![CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center](https://blog.rapid7.com/content/images/2022/09/atlassian-bitbucket-etr.jpg) On August 24, 2022, Atlassian published [an advisory for Bitbucket Server and Data Center](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html>) alerting users to [CVE-2022-36804](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>). The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with **read permissions** to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7’s vulnerability research team has a [full technical analysis in AttackerKB](<https://attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis/?utm_source=rapid7-blog&utm_medium=referral&utm_campaign=etr-atlassian-bitbucket>), including how to use CVE-2022-36804 to create a simple reverse shell. [According to Shodan](<https://www.shodan.io/search?query=http.component%3A%22atlassian+bitbucket%22>), there are about 1,400 internet-facing servers, but it’s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022 (edit: see note below), but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it’s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon. **Note:** Several threat intelligence sources [reported](<https://twitter.com/Shadowserver/status/1573300004072132608>) seeing exploitation attempts in the wild as of September 23, 2022. **Affected products:** Bitbucket Server and Data Center 7.6 prior to 7.6.17 Bitbucket Server and Data Center 7.17 prior to 7.17.10 Bitbucket Server and Data Center 7.21 prior to 7.21.4 Bitbucket Server and Data Center 8.0 prior to 8.0.3 Bitbucket Server and Data Center 8.1 prior to 8.1.3 Bitbucket Server and Data Center 8.2 prior to 8.2.2 Bitbucket Server and Data Center 8.3 prior to 8.3.1 ## Mitigation guidance Organizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible [using Atlassian's guide](<https://confluence.atlassian.com/bitbucketserver/bitbucket-server-upgrade-guide-776640551.html>), without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching. ## Rapid7 customers InsightVM and Nexpose customers can assess their exposure to CVE-2022-36804 with an unauthenticated vulnerability check in the September 20, 2022 content release (`ContentOnly-content-1.1.2653-202209202050`). A detection rule, `Suspicious Process - Atlassian BitBucket Spawns Suspicious Commands`, was deployed to InsightIDR around 10am ET on September 22, 2022. ## Updates **September 22, 2022 10:00AM ET** Updated Rapid7 customers section to include information on a new IDR detection rule. **September 26, 2022 10:30 AM EDT** Updated to reflect reports of exploitation in the wild. #### NEVER MISS A BLOG Get the latest stories, expertise, and news about security today. Subscribe _**Additional reading:**_ * _[Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite](<https://www.rapid7.com/blog/post/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/>)_ * _[Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138](<https://www.rapid7.com/blog/post/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/>)_ * _[Exploitation of Mitel MiVoice Connect SA CVE-2022-29499](<https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/>)_ * _[CVE-2022-27511: Citrix ADM Remote Device Takeover](<https://www.rapid7.com/blog/post/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/>)_