From Atlassian Head of Security Craig Davies:
“Following the disclosure of CVE-2014-6271, we have updated Bitbucket to address this possible issue by ensuring bash is not used. All other Atlassian products and services, including Stash, have been tested and are not affected.
No Atlassian Server products are affected by this bug.”
See the Atlassian website for the post.