all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Bitbucket Git Command Injection

Add to bookmarks
Sept. 22, 2022, 4:01 p.m. |

Packet Storm packetstormsecurity.com

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

bitbucket command command injection git injection

Visit resource

More from packetstormsecurity.com / Packet Storm

Debian Security Advisory 5665-1 1 day, 1 hour ago | packetstormsecurity.com
advisory debian debian linux security engine +7
Debian Security Advisory 5664-1 1 day, 1 hour ago | packetstormsecurity.com
advisory attackers can clients +20
Elber Wayber Analog/Digital Audio STL 4.00 Insecure Direct Object Reference 1 day, 1 hour ago | packetstormsecurity.com
audio client client-side configuration +11
Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass 1 day, 1 hour ago | packetstormsecurity.com
access attackers audio authentication +15
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Insecure Direct Object Reference 1 day, 1 hour ago | packetstormsecurity.com
client client-side configuration device +12
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass 1 day, 1 hour ago | packetstormsecurity.com
access attackers authentication authentication bypass +16
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Insecure Direct Object Reference 1 day, 1 hour ago | packetstormsecurity.com
client client-side configuration device +10
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass 1 day, 1 hour ago | packetstormsecurity.com
access attackers authentication authentication bypass +14
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference 1 day, 1 hour ago | packetstormsecurity.com
1.0.0 broadcast client client-side +14

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

SOC 2 Manager, Audit and Certification

@ Deloitte | US and CA Multiple Locations
View on infosec-jobs.com

Information Security Engineers

@ D. E. Shaw Research | New York City
View on infosec-jobs.com

SOC Cyber Threat Intelligence Expert

@ Amexio | Luxembourg, Luxembourg, Luxembourg
View on infosec-jobs.com

Systems Engineer - SecOps

@ Fortinet | Dubai, Dubai, United Arab Emirates
View on infosec-jobs.com

Ingénieur Cybersécurité Gouvernance des projets AMR H/F

@ ASSYSTEM | Lyon, France
View on infosec-jobs.com

Senior DevSecOps Consultant

@ Computacenter | Birmingham, GB, B37 7YS
View on infosec-jobs.com
View more jobs