CVE-2022-36804 Overview
CVE-2022-36804 is a critical command injection vulnerability affecting multiple API endpoints in Atlassian Bitbucket Server and Data Center. The vulnerability allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This flaw stems from improper input validation in the handling of Git commands through the application's REST API endpoints.
Critical Impact
This vulnerability enables authenticated remote code execution on Bitbucket Server and Data Center instances. Attackers with minimal read-level access to any repository can leverage this flaw to gain complete control over the underlying server, potentially compromising source code, credentials, and downstream CI/CD pipelines.
Affected Products
- Atlassian Bitbucket Server and Data Center versions 7.0.0 before 7.6.17
- Atlassian Bitbucket Server and Data Center versions 7.7.0 before 7.17.10
- Atlassian Bitbucket Server and Data Center versions 7.18.0 before 7.21.4
- Atlassian Bitbucket Server and Data Center versions 8.0.0 before 8.0.3
- Atlassian Bitbucket Server and Data Center versions 8.1.0 before 8.1.3
- Atlassian Bitbucket Server and Data Center versions 8.2.0 before 8.2.2
- Atlassian Bitbucket Server and Data Center version 8.3.0
Discovery Timeline
- August 25, 2022 - CVE-2022-36804 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2022-36804
Vulnerability Analysis
CVE-2022-36804 is classified as an OS Command Injection vulnerability (CWE-78). The flaw exists in multiple API endpoints within Atlassian Bitbucket Server and Data Center that process Git-related operations. When handling certain HTTP requests, the application fails to properly sanitize user-supplied input before passing it to underlying Git commands executed on the server.
The vulnerability is particularly dangerous because it can be exploited by any user with read access to a repository, including public repositories where anonymous read access may be enabled. This low barrier to exploitation, combined with the network-accessible attack vector, significantly increases the risk profile.
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Organizations should treat remediation as an urgent priority.
Root Cause
The root cause of CVE-2022-36804 lies in insufficient input validation and sanitization within the API endpoints that handle Git operations. User-controlled input from HTTP requests is incorporated into command-line arguments for Git operations without adequate escaping or filtering. This allows attackers to inject arbitrary shell commands that are then executed with the privileges of the Bitbucket service account.
The vulnerability specifically affects endpoints that process repository archive operations, where specially crafted parameters can break out of the intended command context and inject malicious commands.
Attack Vector
The attack vector for CVE-2022-36804 is network-based and requires low-privilege authentication. An attacker needs only read access to any repository on the target Bitbucket instance. The attack flow typically follows these steps:
- The attacker authenticates to the Bitbucket instance with read-level permissions
- A malicious HTTP request is crafted targeting vulnerable API endpoints related to repository archive functionality
- The crafted payload contains shell metacharacters and commands embedded in request parameters
- The Bitbucket server processes the request and passes the malicious input to Git commands
- The injected commands execute on the server with the privileges of the Bitbucket service account
The vulnerability can be exploited to achieve complete remote code execution, allowing attackers to read sensitive files, install backdoors, pivot to other network resources, or exfiltrate source code and credentials.
For technical details on the exploitation mechanism, refer to the Atlassian Security Advisory BSERV-13438 and the Packet Storm Command Injection Analysis.
Detection Methods for CVE-2022-36804
Indicators of Compromise
- Unusual HTTP requests to Bitbucket API endpoints containing shell metacharacters (;, |, $(), backticks)
- Unexpected child processes spawned by the Bitbucket Java process, particularly shell interpreters or common post-exploitation tools
- Anomalous outbound network connections from the Bitbucket server to external IP addresses
- Log entries showing archive or file retrieval operations with malformed or unusual repository/branch names
- File system modifications outside of expected Bitbucket directories, especially in /tmp or user home directories
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing command injection patterns targeting Bitbucket API endpoints
- Monitor Bitbucket access logs for suspicious API calls to archive-related endpoints with unusual parameters
- Deploy endpoint detection and response (EDR) solutions to identify process injection or unexpected command execution originating from Bitbucket processes
- Enable verbose logging for Bitbucket and configure SIEM alerts for patterns associated with command injection attempts
Monitoring Recommendations
- Continuously monitor the Bitbucket service account for unexpected process spawning or network activity
- Implement file integrity monitoring (FIM) on critical Bitbucket installation directories and configuration files
- Review repository access patterns for anomalous read operations, particularly from recently created or low-activity accounts
- Monitor for lateral movement attempts originating from the Bitbucket server to other internal systems
How to Mitigate CVE-2022-36804
Immediate Actions Required
- Upgrade Atlassian Bitbucket Server and Data Center to a patched version immediately: 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, or 8.3.1 or later
- If immediate patching is not possible, disable public repository access to reduce the attack surface
- Review access logs for signs of exploitation and audit all user accounts with repository read access
- Implement network segmentation to isolate the Bitbucket server from critical infrastructure
- Consider temporarily taking the Bitbucket instance offline if active exploitation is suspected
Patch Information
Atlassian has released security patches addressing CVE-2022-36804 across all affected version branches. Organizations should upgrade to the following minimum versions:
| Version Branch | Minimum Safe Version |
|---|---|
| 7.6.x | 7.6.17 |
| 7.17.x | 7.17.10 |
| 7.21.x | 7.21.4 |
| 8.0.x | 8.0.3 |
| 8.1.x | 8.1.3 |
| 8.2.x | 8.2.2 |
| 8.3.x | 8.3.1 |
For detailed upgrade instructions and patch downloads, refer to the Atlassian Jira Issue BSERV-13438.
Workarounds
- Disable public access to repositories by requiring authentication for all repository operations
- Use a web application firewall (WAF) or reverse proxy to filter malicious requests targeting vulnerable API endpoints
- Implement network-level access controls to restrict who can reach the Bitbucket instance, limiting exposure to trusted networks only
- Review and minimize repository permissions, removing read access from unnecessary user accounts
# Example: Restrict Bitbucket to internal network access only using iptables
# Allow access only from trusted internal subnet
iptables -A INPUT -p tcp --dport 7990 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 7990 -j DROP
# Or restrict at the reverse proxy level (nginx example)
# Add to nginx server block for Bitbucket
# location /rest/api/ {
# allow 10.0.0.0/8;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
