Skip to main content
All vulnerabilities
CVE-2022-36804

Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

AtlassianBitbucket Server and Data Center

Added to KEV catalog
30 September 2022
Federal remediation due date
21 October 2022
Weakness classification (CWE)
CWE-78, CWE-88, CWE-158

CISA Description

Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

Required action

Apply updates per vendor instructions.

Notes

https://jira.atlassian.com/browse/BSERV-13438; https://nvd.nist.gov/vuln/detail/CVE-2022-36804

Confirm Your Exposure

Is this vulnerability present in your environment?

CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.

Explore VAPT Services