Is CVE-2022-36804 actively exploited?

CVE-2022-36804 has no public evidence of in-the-wild exploitation as of 2025-10-24.

What is the CVSS score for CVE-2022-36804?

CVE-2022-36804 has a CVSS score of 8.8 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2022-36804?

Patch guidance is available from atlassian security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2022-36804.

Fix CVE-2022-36804 - HIGH atlassian bitbucket

Q: Which products are affected by CVE-2022-36804?

7 products: atlassian bitbucket, atlassian bitbucket, atlassian bitbucket, atlassian bitbucket, atlassian bitbucket, and 2 more.

Description

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection CWE-88 CWE-78 · OS Command Injection CWE-88

Metadata

Primary Vendor: ATLASSIAN
Published: 8/25/2022
Last Modified: 10/24/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

atlassian : bitbucketatlassian : bitbucketatlassian : bitbucketatlassian : bitbucketatlassian : bitbucketatlassian : bitbucketatlassian : bitbucket

Remediation Guidance

Executive Summary

View on NIST NVD