PRP: Request Atlassian Bitbucket Server and Data Center RCE (CVE-2022-36804) #266
Assignees
Labels
Contributor main
The main issue a contributor is working on (top of the contribution queue).
PRP:Accepted
PRP:Inactive
Comments
|
Hi @SuperX-SIR , Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development. Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have. Thanks! |
tooryx
added
the
Contributor main
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello.
I want to contribute to the tsunami scanner with a detector plugin to detect CVE-2022-36804 vulnerability
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-36804
https://jira.atlassian.com/browse/BSERV-13438
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
Description
The vulnerability has been assigned a CVE ID CVE-2022-36804 , the severity level of the vulnerability is Critical : CVSS v3 score: 9.9 => Critical severityhttps://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository(remote, unauthenticated attacker ) or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.
versions
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.
The text was updated successfully, but these errors were encountered: