CVE-2022-36804 Atlassian CVE debrief

Who should care

Security teams, Bitbucket administrators, and vulnerability management owners responsible for Atlassian Bitbucket Server and Data Center instances should treat this as a high-priority issue, especially where the product is internet-facing or broadly reachable inside the network.

Technical summary

The vulnerability is identified by Atlassian and CISA as a command injection issue in Bitbucket Server and Data Center. The source record points to Atlassian’s Jira issue BSERV-13438 and NVD’s CVE entry for further vendor and database context. CISA’s KEV listing includes a required action to apply updates per vendor instructions and sets a due date of 2022-10-21.

Defensive priority

High. KEV inclusion indicates known exploitation, so affected Bitbucket instances should be reviewed and remediated immediately using vendor guidance.

Recommended defensive actions

• Inventory all Atlassian Bitbucket Server and Data Center deployments, including test and standby systems.
• Apply Atlassian’s updates and remediation guidance referenced by the vendor issue and KEV record.
• Confirm whether any Bitbucket instance is externally reachable or accessible from untrusted network segments.
• Review authentication, access, and application logs for unusual activity around the CVE publication window and afterward.
• Prioritize compensating controls such as access restriction and monitoring until remediation is complete.

Evidence notes

CVE and source timestamps are both 2022-09-30. CISA KEV metadata lists Atlassian as the vendor, Bitbucket Server and Data Center as the product, dateAdded 2022-09-30, dueDate 2022-10-21, and requiredAction "Apply updates per vendor instructions." The source notes also reference Atlassian Jira BSERV-13438 and the NVD CVE detail page.

Official resources