This module exploits an unauthenticated command injection in multiple API endpoints by supplying NULL bytes to the git command used at this endpoints which allows the passage of extra arguments that lead to OS command injection. Successful exploitation requires access to a public repository. The deployed agent will run with the atlbitbucket user account privileges.
CVE Link
Exploit Platform
Exploit Type
Product Name