Web: https://packetstormsecurity.com/files/168470/bitbucket_git_cmd_injection.rb.txt

Sept. 22, 2022, 4:01 p.m. |

Packet Storm packetstormsecurity.com

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

bitbucket command command injection git injection

Field Security Specialist (GitHub Advanced Security Pre-Sales Engineer)

@ GitHub | Remote - US East

Cyber Threat Intelligence (CTI) Analyst

@ XOR Security | Alexandria, VA

Senior Manual QA (Cyber Protect)

@ Acronis | Budapest, Hungary

Security Operations Engineer

@ Cloudflare, Inc. | Lisbon, Portugal

Senior Security Consultant

@ Charterhouse | Peterborough, England, United Kingdom

Enterprise Sales Executive (Missouri)

@ Datadog | Missouri, USA, Remote

iCAM - Cyber/Network Security Background**

@ SonicWall | Bengaluru, Karnataka, India

Territory Account Manager - Cyber Security Background*

@ SonicWall | Melbourne, Victoria, Australia

Cybersecurity and Supply Chain Risk Manager

@ Avint | Washington, District of Columbia, United States - Remote

Implementation Consultant

@ Snyk | Australia, Japan, or Singapore

Information Systems Security Engineer (ISSE)

@ Novetta | Columbia, Maryland

Vulnerability Management Engineer (Splunk)

@ Aperia | Dallas, Texas, United States - Remote