Australian software company Atlassian has rolled out a security update to address it. two serious flaws Affects Bitbucket Server, Data Center and Crowd products.
The issue is tracked as CVE-2022-43781 When CVE-2022-43782both rated 9 out of 10 on the CVSS vulnerability scoring system.
Atlassian states that CVE-2022-43781 was introduced in version 7.0.0 of Bitbucket Server and Data Center and affects versions 7.0 to 7.21 and 8.0 to 8.4 (mesh.enabled set to false in bitbucket.properties only if it is).
The vulnerability has been described as a case of command injection using software environment variables, which could allow an attacker to execute code on an affected system with permission to control the username. I have.
As a temporary workaround, the company recommends that users turn off the “Public Signup” option (Admin > Authentication).
“Disabling public signup will change the attack vector from unauthenticated to authenticated, reducing the risk of exploitation,” the advisory states. “A user authenticated with ADMIN or SYS_ADMIN can exploit the vulnerability even if his public signup is disabled.”
The second vulnerability, CVE-2022-43782, concerns a misconfiguration of Crowd servers and data centers that allows attackers to call privileged API endpoints, but with IP addresses added to the remote address configuration. only if the malicious actor is connecting from .
Introduced in Crowd 3.0.0 and identified during an internal security review, this flaw affects all new installations. This means that users upgrading from versions prior to Crowd 3.0.0 are not vulnerable.
It’s not uncommon for Atlassian and Bitbucket flaws to be exploited in the wild. As such, it is imperative that users act quickly to apply the patch.
Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that a command injection flaw (CVE-2022-36804, CVSS score: 9.9) in Bitbucket Server and Data Center has been weaponized in attacks since late September 2022. I warned you that it is.