⚠ Actively exploited
Added to CISA KEV on 2022-09-30. Federal agencies required to patch by 2022-10-21. Required action: Apply updates per vendor instructions..
CVE-2022-36804
Severity
8.8HIGH
EPSS
94.4%
top 0.02%
CISA KEV
KEV
Added 2022-09-30
Due 2022-10-21
Exploit
Exploited in wild
Active exploitation observed
Timeline
PublishedAug 25
KEV addedSep 30
KEV dueOct 21
Latest updateMar 23
CISA Required Action: Apply updates per vendor instructions.
Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages3 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-vcm2-j8f4-m7fj: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7↗2022-08-26
CVEList
▶
💥Exploits & PoCs
2Nuclei▶
Atlassian Bitbucket - Remote Command Injection