Open SuperX-SIR opened 1 year ago
Hi @SuperX-SIR ,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
Hello. I want to contribute to the tsunami scanner with a detector plugin to detect CVE-2022-36804 vulnerability
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-36804 https://jira.atlassian.com/browse/BSERV-13438 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36804
Description
The vulnerability has been assigned a CVE ID CVE-2022-36804 , the severity level of the vulnerability is Critical : CVSS v3 score: 9.9 => Critical severityhttps://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository(remote, unauthenticated attacker ) or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.
versions
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.