This is a public space:
For the draft, please restrict the page during creation and
remove this warning when page is published
Critical Severity Command Injection Vulnerability - CVE-2022-36804
Dear customer,
on the 24th of August 2022 10 PM CEST, Atlassian issued a Security Advisory for Bitbucket Server and Bitbucket Data Center. The Cloud versions of the applications are not affected.
What you need to know
This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
Affected Versions
All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
Fixed Versions
Supported Version | Bug Fix Release |
|---|---|
Bitbucket Server and Data Center 7.6 | 7.6.17 (LTS) or newer |
Bitbucket Server and Data Center 7.17 | 7.17.10 (LTS) or newer |
Bitbucket Server and Data Center 7.21 | 7.21.4 (LTS) or newer |
Bitbucket Server and Data Center 8.0 | 8.0.3 or newer |
Bitbucket Server and Data Center 8.1 | 8.1.3 or newer |
Bitbucket Server and Data Center 8.2 | 8.2.2 or newer |
Bitbucket Server and Data Center 8.3 | 8.3.1 or newer |
What should I do? - On-Premise Products
Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” section of this same page. For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.
Workaround
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repos globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.
You use Bitbucket Cloud.
You are not affected by this Security Advisory.
No need for actions
You Bitbucket Server or Data Center hosted with bitvoodoo.
Workaround
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repos globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.
Bitbucket Mesh
If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with Bitbucket Data Center version, please check the compatibility matrix. You can download the corresponding version from the download center.
If you are unsure if your Bitbucket instance has Bitbucket Mesh configured, as a user with system administration privileges navigate to Administration > Bitbucket Mesh, this page will list Mesh nodes each of which will need to be upgraded. If the list is empty, your instance does not have Mesh configured and this extra step is not required.
Mitigation
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repos globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.
