Important security updates for Atlassian Bitbucket Server and Bitbucket Data Center close a critical malware vulnerability.
Under certain conditions, attackers could attack Atlassian’s Bitbucket Server and Bitbucket Data Center. If attacks are successful, malicious code could get onto the computer. In such a state, systems are usually considered to be completely compromised.
As the developers write in a warning, attackers need access to a public Bitbucket repository or read rights for a private repository. If this is the case, they could execute malicious code on systems by sending crafted HTTP requests. The vulnerability (CVE-2022-36804) is identified as “critical” classified.
The following versions should be armed against these attacks. Attacks are possible from versions after 6.10.17. Anyone accessing Bitbucket via the cloud (bitbucket.org) is not affected by the vulnerability.
- Bitbucket Server and Bitbucket Data Center from 7.6.17 (LTS)
- Bitbucket Server and Bitbucket Data Center from 7.17.10 (LTS)
- Bitbucket Server and Bitbucket Data Center from 7.21.4 (LTS)
- Bitbucket Server and Bitbucket Data Center 8.0.3 or later
- Bitbucket Server and Bitbucket Data Center 8.1.3 or later
- Bitbucket Server and Bitbucket Data Center 8.2.2 or later
- Bitbucket Server and Bitbucket Data Center 8.3.1 or later
There is a temporary workaround for admins who are currently unable to install the security updates: To prevent attacks, they have to go through public repositories feature.public.access=false lock out. This means that only users with approved accounts can access it.
