Back to KEVs

CVE-2022-36804

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from...

Basic Information

CVE State: PUBLISHED
Reserved Date: July 26, 2022
Published Date: August 25, 2022
Last Updated: January 29, 2025
Vendor: Atlassian
Product: Bitbucket Server, Bitbucket Data Center
Description: Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CVSS Scores

CVSS v3.1

8.8 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-09-30 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2022-09-23 11:05:22 UTC) Source

References

https://jira.atlassian.com/browse/BSERV-13438 http://packetstormsecurity.com/files/168470/Bitbucket-Git-Command-Injection.html http://packetstormsecurity.com/files/171453/Bitbucket-7.0.0-Remote-Command-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-09-30 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/bitbucket_git_cmd_injection.rb	2025-04-29 11:01:11 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-36804.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

bitbucket_git_cmd_injection

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-36804

ColdFusionX/CVE-2022-36804

Type: github • Created: 2022-10-04 08:26:12 UTC • Stars: 7

Atlassian Bitbucket Server and Data Center - Command Injection Vulnerability (CVE-2022-36804)

Inplex-sys/CVE-2022-36804

Type: github • Created: 2022-09-26 08:35:31 UTC • Stars: 12

A loader for bitbucket 2022 rce (cve-2022-36804)

0xEleven/CVE-2022-36804-ReverseShell

Type: github • Created: 2022-09-24 18:46:56 UTC • Stars: 0

PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

khal4n1/CVE-2022-36804

Type: github • Created: 2022-09-24 05:04:30 UTC • Stars: 3

You can find a python script to exploit the vulnerability on Bitbucket related CVE-2022-36804.

Chocapikk/CVE-2022-36804-ReverseShell

Type: github • Created: 2022-09-23 11:05:22 UTC • Stars: 3

PoC exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

kljunowsky/CVE-2022-36804-POC

Type: github • Created: 2022-09-21 10:36:50 UTC • Stars: 7

Bitbucket CVE-2022-36804 unauthenticated remote command execution

benjaminhays/CVE-2022-36804-PoC-Exploit

Type: github • Created: 2022-09-20 02:35:53 UTC • Stars: 16

Somewhat Reliable PoC Exploit for CVE-2022-36804 (BitBucket Critical Command Injection)

notxesh/CVE-2022-36804-PoC

Type: github • Created: 2022-09-19 13:15:13 UTC • Stars: 18

Multithreaded exploit script for CVE-2022-36804 affecting BitBucket versions <8.3.1

notdls/CVE-2022-36804

Type: github • Created: 2022-09-07 09:35:49 UTC • Stars: 36

A real exploit for BitBucket RCE CVE-2022-36804