"Patch Critical Flaw in Atlassian Bitbucket Server and Data Center!"

Unauthorized attackers could exploit a critical vulnerability, tracked as CVE-2022-36804, in Atlassian Bitbucket Server and Data Center to execute malicious code on vulnerable instances. Software developers all over the world use Bitbucket Server and Data Center for source code revision control, management, and hosting. The critical vulnerability is a command injection flaw in Bitbucket Server and Data Center Application Programming Interface (API) endpoints. By sending a malicious HTTP request, an attacker with access to a public repository or read permissions to a private Bitbucket repository can execute arbitrary code, according to Atlassian. The attacker's ability to take subsequent actions is determined by the permissions associated with the exploited application. All Bitbucket Server and Data Center versions prior to 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.2, 8.2.2, and 8.3.1 are vulnerable, but Atlassian-hosted Bitbucket installations are not. Users are encouraged to upgrade their self-hosted installations to close the security gap. If they have Bitbucket Mesh nodes configured, they will need to update to the corresponding Mesh version that includes the fix. If they cannot upgrade Bitbucket, a temporary mitigation step is to disable public repositories globally by setting feature.public.access=false, which will transform this attack vector from an unauthorized to an authorized attack. This is not a complete mitigation because an attacker with a user account could still succeed. This article continues to discuss the potential exploitation, impact, and mitigation of the critical flaw in Atlassian Bitbucket Server and Data Center.

Help Net Security reports "Patch Critical Flaw in Atlassian Bitbucket Server and Data Center!"