CVE-2022-36804

What is Atlassian Bitbucket Server and Data Center?

Atlassian Bitbucket Server and Data Center is an on-premises Git repository management platform used by development teams for source code hosting, code review, and CI/CD pipeline integration. It is widely deployed in enterprises as the source-of-truth for proprietary codebases and often integrated with other Atlassian products (Jira, Confluence, Bamboo). Access to a Bitbucket server can expose sensitive source code, secrets embedded in repositories, CI/CD credentials, and deployment keys.

Overview

CVE-2022-36804 is a command injection vulnerability (CWE-78) affecting multiple API endpoints in Atlassian Bitbucket Server and Data Center. An attacker with read access to a public repository — or any level of authenticated access to a private repository — can execute arbitrary OS commands on the Bitbucket server by sending a malicious HTTP request. No elevated permissions are required beyond the ability to read a repository. Atlassian patched the vulnerability on August 24, 2022; it was added to CISA KEV five weeks later following observed exploitation in the wild.

Affected Versions

Technical Details

The vulnerability exists in multiple Bitbucket API endpoints that handle repository archive generation (e.g., /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive). These endpoints pass user-supplied parameters to shell commands without proper sanitization, allowing an attacker to inject additional OS commands via shell metacharacters (CWE-78: OS command injection).

• Authentication required: Low — read access to a public repo (no account needed) or any read permission on a private repo
• Attack complexity: Low — single HTTP request with a crafted parameter value
• User interaction: None — fully automated, no victim action required
• Impact: Full remote code execution as the bitbucket service user on the host OS; can be escalated to full server takeover via post-exploitation
• Exposure: Any internet-facing Bitbucket Server instance with public repositories is exploitable without authentication

Discovery

Discovered and reported to Atlassian by an external security researcher. Atlassian published the advisory and patches on August 24, 2022.

Exploitation Context

CISA's addition to KEV on September 30, 2022 reflects active scanning and exploitation observed in the weeks after public disclosure. Proof-of-concept exploits were quickly published following the advisory. Threat actors used the vulnerability to:

• Achieve initial access to development infrastructure
• Steal source code and repository contents
• Harvest embedded secrets (API keys, cloud credentials, database passwords in config files)
• Establish persistence via web shells or cron jobs on the Bitbucket host

Development infrastructure compromise via source code repository vulnerabilities is a frequent initial access vector in supply chain attacks.

Remediation

1. Upgrade to a patched Bitbucket version immediately — see the version table above for the minimum safe release per branch
2. If immediate patching is not possible, restrict Bitbucket's API endpoints at the network perimeter or reverse proxy level
3. Disable anonymous access to public repositories if not required: Administration → Access Control
4. Review Bitbucket access logs for unusual requests to /rest/api/latest/.*/archive endpoints with unexpected parameter values
5. Audit repositories for newly committed malicious files (web shells, unauthorized deploy keys) following the exposure window
6. Rotate all secrets (API keys, SSH keys, credentials) stored in repositories as a precaution if the server was exposed during the vulnerability window