Bitbucket Git Command Injection

Posted by deepcore on September 23, 2022 – 4:36 am

Various versions of Bitbucket Server and Data Center are vulnerable to an unauthenticated command injection vulnerability in multiple API endpoints. The /rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive endpoint creates an archive of the repository, leveraging the git-archive command to do so. Supplying NULL bytes to the request enables the passing of additional arguments to the command, ultimately enabling execution of arbitrary commands.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« [webapps] Testa 3.5.1 Online Test Management System – Reflected Cross-Site Scripting (XSS) Linux Stable 5.4 / 5.10 Use-After-Free / Race Condition »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Bitbucket Git Command Injection

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL