Bitbucket is a Git-based source code repository hosting service owned by Atlassian. Bitbucket offers both commercial plans and free accounts with an unlimited number of private repositories.
Bitbucket Server and Data Center – Command injection vulnerability received a CVSS severity score of 9.9. According to the scale published in Atlassian severity levels, the severity level of this vulnerability is ‘Critical’.
“An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request”, reads the Advisory published by Atlassian.
Affected and Fixed Versions
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.
Further, the company states that users who access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian, and users are not affected by the vulnerability.
Atlassian advises the users to upgrade the instance to one of the versions listed in the “Fixed Versions” table. Also, if you have configured Bitbucket Mesh nodes, these will need to be updated with the corresponding version of Mesh that includes the fix.
Those who are unsure whether your Bitbucket instance has Bitbucket Mesh configured, as a user with system administration privileges navigate to Administration > Bitbucket Mesh, this page will list Mesh nodes each of which will need to be upgraded.
If you’re unable to upgrade Bitbucket, the company recommends applying temporary partial mitigation by turning off public repositories using “feature.public.access=false”.