Bitbucket Server and Data Center Advisory 2022-08-24

Bitbucket Server and Data Center - Command injection vulnerability - CVE-2022-36804


CVE-2022-36804 - command injection vulnerability

Advisory Release Date

24 Aug 2022 10 AM PDT (Pacific Time, -7 hours)


  • Bitbucket Server

  • Bitbucket Data Center



Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which was introduced in version 7.0.0 of Bitbucket Server and Data Center. All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.

This issue can be tracked here: BSERV-13438 - Getting issue details... STATUS

Atlassian Cloud sites are not affected.

If you access Bitbucket via a domain, it is hosted by Atlassian and you are not affected by the vulnerability.


Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.

Affected Versions

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.

Fixed Versions

What You Need to Do

Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” section of this same page. For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.

Bitbucket Mesh

If you have configured Bitbucket Mesh nodes, these will need to be updated with to the corresponding version of Mesh that includes the fix. To find the version of Mesh compatible with Bitbucket Data Center version, please check the compatibility matrix. You can download the corresponding version from the download center.

If you are unsure if your Bitbucket instance has Bitbucket Mesh configured, as a user with system administration privileges navigate to Administration > Bitbucket Mesh, this page will list Mesh nodes each of which will need to be upgraded. If the list is empty, your instance does not have Mesh configured and this extra step is not required.


To remediate this vulnerability, update each affected product installation to a fixed version listed above.

If you’re unable to upgrade Bitbucket, a temporary mitigation step is to turn off public repositories globally by setting feature.public.access=false as this will change this attack vector from an unauthorized attack to an authorized attack. This can not be considered a complete mitigation as an attacker with a user account could still succeed.


This vulnerability was discovered by @TheGrandPew and reported via our Bug Bounty program.


If you did not receive an email for this advisory and you wish to receive such emails in the future go to and subscribe to Alerts emails.

If you have questions or concerns regarding this advisory, please raise a support request at


Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported in accordance with  We will release new maintenance releases for the versions covered by the policy instead of binary patches.

Binary patches are no longer released. 

Severity Levels for security issues

Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at

End of Life Policy

 Our end of life policy varies for different products. Please refer to our EOL Policy for details. 

Last modified on Aug 24, 2022

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.