Bitbucket CVE-2022-36804: Remote Code Execution via Improperly Sanitized Input
For those using Bitbucket Server or Bitbucket Data Center, you need to upgrade ASAP!
Today, Atlassian released an extremely critical security advisory outlining the following vulnerability: Anyone with read access to at least one repository can use the Bitbucket REST API to inject & execute arbitrary commands. Remote code execution (RCE) are the most dangerous type of security exploits, allowing an attacker to take full control of a system without local access or authentication.
Attackers could use this vulnerability to steal your organizations code and repositories.
Servers are particularly vulnerable if they have any public repositories, as this allows attackers with no user authentication in Bitbucket to gain full remote access. Our previous post about Bitbucket security best practices explains why public repositories are dangerous in general — and how to disable them.
The specific vulnerability is triggered by crafting HTTP request parameters which include the NUL character, which Bitbucket fails to sanitize when executing git. The NUL character is used as a string delimiter in C; truncating commands and environmental variables can then be used to escape Bitbucket's built-in protections for web requests.
CVE-2022-36804 is a good reminder that security requires constant investment and diligence. At Soteri, we not only write plugins for Atlassian products, we use them ourselves as well. Security for Bitbucket is our integrated tool for protecting Bitbucket against secrets and credentials leaks.