Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products.
In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8.
“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system,” Atlassian explained.
Updates that patch the flaw have been released for both BitBucket 7 and 8. Atlassian Cloud sites are not affected.
In the case of Crowd, an application security framework that handles authentication and authorization for web-based applications, Atlassian fixed CVE-2022-43782, a critical security misconfiguration issue affecting all versions starting with 3.0.0.
“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path,” Atlassian explained.
While this security hole has been rated ‘critical’, it can only be exploited by IPs in the Crowd application’s allowlist in the Remote Addresses configuration. In addition, it only impacts new installations — users who have updated their installation from a version prior to 3.0.0 are not affected.
There does not appear to be any evidence of malicious exploitation — the vulnerability was discovered internally by Atlassian — but indicators of compromise (IoCs) have also been made available for CVE-2022-43782.
It’s not uncommon for threat actors to exploit vulnerabilities in Atlassian products in their attacks.
Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a Bitbucket vulnerability patched in August had been targeted in attacks. Exploitation attempts started weeks after patches were released.
Related: Atlassian Patches Confluence Zero-Day as Exploitation Attempts Surge
Related: Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak
Related: Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability
Related: Jira Align Vulnerabilities Exposed Atlassian Infrastructure to Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
