CVE-2022-36804 Atlassian has many API endpoints, some older versions are vulnerable. Old versions of Atlassian Bitbucket are vulnerable to API hijacking.

CVE-2022-36804 Atlassian has many API endpoints, some older versions are vulnerable. Old versions of Atlassian Bitbucket are vulnerable to API hijacking.

The vulnerability is located in the Bitbucket Server’s v2.0 API, which is exposed over HTTP. The affected API endpoints are: /repositories/{repository-id}/config/settings/users/{user-id}/roles/{role-id} /repositories/{repository-id}/config/users/{user-id}/roles/{role-id} /repositories/{repository-id}/config/users/{user-id}/roles/{role-id}/permission /repositories/{repository-id}/config/users/{user-id}/roles/{role-id}/permission/{permission-id} This can be exploited by first compromising a user account, then sending a malicious request to the API endpoints. An attacker can send a malicious request via email, or by modifying a web-based application to send a malicious request. The request will be received by the API server, which will then execute the code in the API endpoints, which will result in remote code execution. At the time of this writing, there is no patch available to fix this vulnerability. In order to mitigate this risk, you should regularly review the permissions that are granted to each user. If you notice that a user has been given permission to edit

Bitbucket Server v3.0 API

The issue with this vulnerability is that it is not easy to detect. The malicious request will not be blocked by Bitbucket Server, and the execution of the code will go unnoticed.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe