in the Bitbucket Server, a package for deploying a Web interface for working with GIT references, revealed critical vulnerability ( cve-2022-36804 ), which allows a remote attacking who has access to private or public repositories to fulfill an arbitrary code on the server After sending a specially designed HTTP request. The problem is manifested starting from version 6.10.17 and eliminated in the issues of Bitbucket Server and Bitbucket Data Center 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.2.2 and 8.3.1. Vulnerability is not manifested in the cloud service of bitbucket.org, but affects only products for installation at its capacities.
Vulnerability is identified by the security researcher as part of the initiative bugcrowd bug bounty , which implies the payment of rewards for identifying previously unknown vulnerabilities . The size of the remuneration amounted to 6 thousand dollars. Details about the attack method and prototype exploit promise to open 30 days after the publication of correction. As a measure to reduce the risk of attack on their systems before the application of correction, it is recommended to limit public access to repositories using the setting “feature.public.access = false”.