CVE-2022-36804

CVE Database · CVE-2022-36804

CVE-2022-36804

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

99.17%

Published

Aug 25, 2022

Modified

Oct 24, 2025

CISA Known Exploited Vulnerability

Added: 2022-09-30 · Due: 2022-10-21

Apply updates per vendor instructions.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBBitbucket v7.0.0 - RCE NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCnotdls/CVE-2022-36804★35 GitHub PoCnotxesh/CVE-2022-36804-PoC★18 GitHub PoCbenjaminhays/CVE-2022-36804-PoC-Exploit★16 GitHub PoCSystemVll/CVE-2022-36804★12 GitHub PoCwalnutsecurity/cve-2022-36804★8 GitHub PoCkljunowsky/CVE-2022-36804-POC★7 GitHub PoCtahtaciburak/cve-2022-36804★7 GitHub PoCColdFusionX/CVE-2022-36804★7

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-88CWE-78CWE-88

Affected Products (7)

atlassian · bitbucket (up to 7.6.17)vulnerable

atlassian · bitbucket (up to 7.17.10)vulnerable

atlassian · bitbucket (up to 7.21.4)vulnerable

atlassian · bitbucket (up to 8.0.3)vulnerable

atlassian · bitbucket (up to 8.1.3)vulnerable

atlassian · bitbucket (up to 8.2.2)vulnerable

atlassian · bitbucketvulnerable