Security researchers and a US security agency warn that attackers are targeting Bitbucket Server.
Attackers are currently using a “critical‘ classified vulnerability in Atlassian Bitbucket Server. The vulnerability also affects Bitbucket Data Center. Cloud access via bitbucket.org is not affected by the vulnerability. The extent to which the attacks are taking place is currently unknown.
malicious code attacks
Software developers can use the Bitbucket online service to implement version management for their software projects. If attacks are successful, attackers could push malicious code onto systems and execute it. If such attacks succeed, systems are generally considered to be completely compromised. Security researchers warn of the attacks for example on Twitter. The US security authority Cybersecurity & Infrastructure Agency (CISA) also advises admins to close the vulnerability (CVE-2022-36804) quickly.
The vulnerability has been known since the end of August 2022. As a prerequisite for attacks, attackers need access to a public Bitbucket repository. If so, they could initiate attacks by sending crafted HTTP requests. Attacks are possible starting with versions 6.10.17 of Bitbucket Server and Bitbucket Data Center. These versions are secured against the attacks:
- Bitbucket Server and Bitbucket Data Center from 7.6.17 (LTS)
- Bitbucket Server and Bitbucket Data Center from 7.17.10 (LTS)
- Bitbucket Server and Bitbucket Data Center from 7.21.4 (LTS)
- Bitbucket Server and Bitbucket Data Center 8.0.3 or later
- Bitbucket Server and Bitbucket Data Center 8.1.3 or later
- Bitbucket Server and Bitbucket Data Center 8.2.2 or later
- Bitbucket Server and Bitbucket Data Center 8.3.1 or later
If the security update cannot be installed immediately, admins should allow access to public repositories via feature.public.access=false lock them until they can install the security patch.