Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Atlassian / Bitbucket Data Centerunspecified β 8.3.1
- Atlassian / Bitbucket Data Center7.0.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 7.6.17
- Atlassian / Bitbucket Data Center7.7.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 7.17.10
- Atlassian / Bitbucket Data Center7.18.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 7.21.4
- Atlassian / Bitbucket Data Center8.0.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 8.0.3
- Atlassian / Bitbucket Data Center8.1.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 8.1.3
- Atlassian / Bitbucket Data Center8.2.0 β unspecified
- Atlassian / Bitbucket Data Centerunspecified β 8.2.2
- Atlassian / Bitbucket Data Center8.3.0 β unspecified
- Atlassian / Bitbucket Server7.0.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 7.6.17
- Atlassian / Bitbucket Server7.7.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 7.17.10
- Atlassian / Bitbucket Server7.18.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 7.21.4
- Atlassian / Bitbucket Server8.0.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 8.0.3
- Atlassian / Bitbucket Server8.1.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 8.1.3
- Atlassian / Bitbucket Server8.2.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 8.2.2
- Atlassian / Bitbucket Server8.3.0 β unspecified
- Atlassian / Bitbucket Serverunspecified β 8.3.1
Exploits & PoCs
- nucleiAtlassian Bitbucket - Remote Command Injectionby DhiyaneshDk,tess,sullo