Bitbucket Server and Data Center users are being alerted by Atlassian about a major security vulnerability that may allow attackers to run arbitrary code on weak systems.
The most updated vulnerability that involves command injection affects several software product API endpoints and is identified as CVE-2022-36804. Given that it has a CVSS severity score of 9.9 out of a possible 10.0, it can be concluded that the vulnerability is critical and needs to be fixed immediately.
According to an advisory from Atlassian, "A hacker with access to a public Bitbucket repository or with r permissions to a private one can execute arbitrary code by sending a malicious HTTP request."
Bitbucket is a Git-based code hosting service connected with Jira and a part of the business' DevOps solution. Bitbucket offers both free and paid options and supports an infinite number of private repositories.
All Bitbucket versions issued after 6.10.17 are impacted, thus "all instances that are operating any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability," according to Atlassian, which also alleges that the flaw was introduced in version 7.0.0 of Bitbucket.
Atlassian advises disabling public repositories using 'feature.public.access=false' as a temporary solution in situations where the patches cannot be applied immediately to stop unauthorized users from taking advantage of the problem.
It warned that "this can not be regarded a complete mitigation as an attacker with a user account could still succeed,", implying that hackers who already have legitimate credentials obtained through other ways could take advantage of it.
It is advised that users of the affected software versions update as soon as possible to the most recent version in order to reduce security risks.
Max Garrett, a security researcher, disclosed CVE-2022-36804 to Atlassian via the company's bug bounty program on Bugcrowd and was rewarded with $6,000 for his discovery.
The teenage researcher tweeted yesterday that he will publish a proof-of-concept (PoC) attack for the problem in 30 days, allowing system administrators plenty of time to implement the now available remedies.
There is no guarantee that the significant RCE weakness won't be actively exploited more frequently before the PoC is released, but it is inevitable. Reverse engineering Atlassian's patch, according to Garrett, shouldn't be too challenging for knowledgeable hackers.
The motivation is there because remote code execution is the most dangerous type of vulnerability, allowing attackers to cause significant harm while evading all security protocols.
As a result, users of Bitbucket Server and Data Center are urged to install any security updates or mitigations as soon as they become available.