CVE DATABASE / CVE-2022-36804
CVE-2022-36804
Atlassian Bitbucket Server and Data Center Command Injection Vulnerability
Confirmed exploited in the wild. Added 2022-09-30.
Federal remediation due 2022-10-21.
Required action: Apply updates per vendor instructions.
Summary
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS 3.1 breakdown
| Base score | 8.8 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html
- http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html
- https://jira.atlassian.com/browse/BSERV-13438
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36804
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-24. Always verify against the vendor advisory before acting.