A critical vulnerability (CVE-2022-36804) has been identified in Bitbucket Server, a package for deploying a web interface for working with git repositories, which could allow a remote attacker with read access to private or public repositories to execute arbitrary code on the server by sending a specially issued HTTP request. The issue has been present since version 6.10.17 and is fixed in the 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.2.2, and 8.3.1 releases of Bitbucket Server and Bitbucket Data Center. The vulnerability does not appear in the bitbucket.org cloud service, but only affects products for installation on their facilities.
The vulnerability was discovered by a security researcher as part of the Bugcrowd Bug Bounty initiative, which involves the payment of rewards for the identification of previously unknown vulnerabilities. The amount of remuneration amounted to 6 thousand dollars. Details about the attack method and the prototype of the exploit are promised to be revealed 30 days after the publication of the fix. As a measure to reduce the risk of an attack on your systems before applying the patch, it is recommended to restrict public access to the repositories using the "feature.public.access=false" setting.
Source: opennet.ru