Atlassian has patched a critical Bitbucket Server and Data Center vulnerability, tracked as CVE-2022-36804, which could be exploited to trigger arbitrary code execution, The Hacker News reports.
Threat actors could leverage specially crafted HTTP requests to exploit the command injection flaw, which impacts all BitBucket Server and Datacenter iterations after 6.10.17, across various endpoints, according to Atlassian. "An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request," said Atlassian. Atlassian has urged users of vulnerable software to promptly upgrade their systems. However, organizations that could not immediately apply the patches have been urged to deactivate public repositories through "feature.public.access=false" in an effort to prevent flaw exploitation. "This can not be considered a complete mitigation as an attacker with a user account could still succeed," said Atlassian, indicating the continued vulnerability of systems to intrusions involving actors with access to valid credentials.