Critical Atlassian Bitbucket Server Vulnerability being exploited

CISA on Sept 30th added a recently disclosed critical flaw impacting Atlassian’s Bitbucket Server and Data Center to the known exploited vulnerabilities (KEV) catalog.

Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Software professionals use this to build, test and deploy software.

Tracked as CVE-2022-36804 is a command injection vulnerability in multiple endpoints of Bitbucket Server and Data Center.

An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending malicious HTTP requests.

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.