← voltar
CVE-2022-36804

CVE-2022-36804

CVSS 8.8 HIGHEPSS 99.2%● KEVCWE-78CWE-88
Em resumo

Múltiplos endpoints de API do Atlassian Bitbucket Server e Data Center permitem que atacantes com acesso de leitura ao repositório executem código arbitrário através de requisições HTTP maliciosas. Isso possibilita a execução de código remoto em sistemas afetados, comprometendo toda a segurança do servidor.

Detalhe técnico

Vulnerabilidade de Execução Remota de Código (RCE) em endpoints de API do Bitbucket explorável via requisições HTTP mal-intencionadas (CWE-78, CWE-88). O ataque requer apenas permissão de leitura em um repositório; exploração bem-sucedida permite execução de código arbitrário no servidor. Afeta versões desatualizadas de 7.0.0 até 8.3.0.

Resumo gerado e traduzido por IA a partir da descrição oficial.
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
Atlassian · Bitbucket Data CenterAtlassian · Bitbucket Server
PoCs públicas encontradas21
githubgithub.com/notdls/CVE-2022-3680435githubgithub.com/notxesh/CVE-2022-36804-PoC18githubgithub.com/benjaminhays/CVE-2022-36804-PoC-Exploit16githubgithub.com/SystemVll/CVE-2022-3680412githubgithub.com/walnutsecurity/cve-2022-368048githubgithub.com/ColdFusionX/CVE-2022-368047githubgithub.com/kljunowsky/CVE-2022-36804-POC7githubgithub.com/tahtaciburak/cve-2022-368047githubgithub.com/Chocapikk/CVE-2022-36804-ReverseShell4githubgithub.com/khal4n1/CVE-2022-368043githubgithub.com/Vulnmachines/bitbucket-cve-2022-368043githubgithub.com/asepsaepdin/CVE-2022-368040githubgithub.com/JohanGabrielson/bitbucket-test0githubgithub.com/JRandomSage/CVE-2022-36804-MASS-RCE0githubgithub.com/0xEleven/CVE-2022-36804-ReverseShell0githubgithub.com/devengpk/CVE-2022-368040githubgithub.com/imbas007/Atlassian-Bitbucket-CVE-2022-368040githubgithub.com/DanielHallbro/CVE-2022-36804-Bitbucket-RCE-Analysis0exploitdbwww.exploit-db.com/exploits/51040não verificadocve_referencepacketstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.htmlnão verificadocve_referencepacketstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlnão verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.htmlhttp://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.htmlhttps://jira.atlassian.com/browse/BSERV-13438https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804