Cyber Resilience

CVE-2023-22513

HighRCE

Published: 19 September 2023

Published
19 September 2023
Modified
06 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1165 93.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22513 is a high-severity Code Injection (CWE-94) vulnerability in Atlassian Bitbucket Data Center. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 6.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-22513 is a high-severity remote code execution vulnerability present in Bitbucket Data Center and Server versions 8.0.0 and later. It carries a CVSS 3.1 score of 8.8 and stems from improper handling that permits code injection, as indicated by the associated CWE-94 classification. The flaw affects the core server product and was introduced when version 8.0.0 was released.

An authenticated attacker with network access can exploit the issue without user interaction to run arbitrary code on the affected instance, resulting in complete loss of confidentiality, integrity, and availability. Because the attack requires only low-privilege credentials, any valid user account on an unpatched system can be leveraged to achieve full system compromise.

Atlassian’s advisory directs customers to upgrade Bitbucket Data Center and Server to one of the fixed releases: 8.9.5 or later for the 8.9 branch, 8.10.5 or later for 8.10, 8.11.4 or later for 8.11, 8.12.2 or later for 8.12, 8.13.1 or later for 8.13, or 8.14.0 or later for 8.14; organizations running any version between 8.0 and 8.9 should move directly to one of the listed fixed versions. The patches are available through the vendor’s download center and are also referenced in the associated Jira ticket BSERV-14419.

The EPSS score has remained flat at 0.1165 with no material increase after disclosure.

EU & UK References

Vulnerability details

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 8.0.0 of Bitbucket Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code which…

more

has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bitbucket Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5 Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5 Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4 Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2 Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1 Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0 Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions. See the release notes (https://confluence.atlassian.com/bitbucketserver/release-notes). You can download the latest version of Bitbucket Data Center and Server from the download center (https://www.atlassian.com/software/bitbucket/download-archives). This vulnerability was discovered by a private user and reported via our Bug Bounty program

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
bitbucket data center
8.13.0 · 8.9.0 — 8.9.5 · 8.10.0 — 8.10.5 · 8.11.0 — 8.11.4
atlassian
bitbucket server
8.13.0 · 8.9.0 — 8.9.5 · 8.10.0 — 8.10.5 · 8.11.0 — 8.11.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References