CVE-2022-36804

unknown KEV

Published 2022-09-30 · Modified 2022-09-30

CVSS v3

—

CVSS v2

—

VIR risk

1.5

Description

Multiple API endpoints of Atlassian Bitbucket Server and Data Center contain a command injection vulnerability where an attacker with access to a public Bitbucket repository, or with read permissions to a private one, can execute code by sending a malicious HTTP request.

CISA KEV

Vendor: Atlassian
Product: Bitbucket Server and Data Center
Due date: 2022-10-21

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://jira.atlassian.com/browse/BSERV-13438; https://nvd.nist.gov/vuln/detail/CVE-2022-36804

Exploits

References

https://jira.atlassian.com/browse/BSERV-13438; https://nvd.nist.gov/vuln/detail/CVE-2022-36804

Verify integrity in audit chain (admin only). AS-IS.