Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2022-36804
PUBLISHEDMultiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from...
- Vendor
- Atlassian
- Product
- Bitbucket Server, Bitbucket Data Center
- Published
- Aug 25, 2022
- EPSS
- —
Description
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2022-09-30 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Sep 30, 2022 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/bitbucket_git_cmd_injection.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-36804.yaml | Apr 25, 2025 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2022-10-04 08:26:12 UTC · 7 stars
Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)
github · Created 2022-09-26 08:35:31 UTC · 12 stars
A loader for bitbucket 2022 rce (cve-2022-36804)
github · Created 2022-09-24 18:46:56 UTC · 0 stars
PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
github · Created 2022-09-24 05:04:30 UTC · 3 stars
You can find a python script to exploit the vulnerability on Bitbucket related CVE-2022-36804.
github · Created 2022-09-23 11:05:22 UTC · 3 stars
PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
github · Created 2022-09-21 10:36:50 UTC · 7 stars
Bitbucket CVE-2022-36804 unauthenticated remote command execution
github · Created 2022-09-20 02:35:53 UTC · 16 stars
Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)
github · Created 2022-09-19 13:15:13 UTC · 18 stars
Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1
github · Created 2022-09-07 09:35:49 UTC · 36 stars
A real exploit for BitBucket RCE CVE-2022-36804
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei
-
Detected by Metasploit