Atlassian’s security response team has issued an urgent advisory to warn of a critical command injection flaw in its Bitbucket Server and Data Center product.
The vulnerability carries a CVSS severity score of 9.9 out of 10 and can be exploited remotely to launch code execution attacks, Atlassian said.
Atlassian said the security defect, tracked as CVE-2022-36804, was introduced in version 7.0.0 of Bitbucket Server and Data Center.
From the alert:
“There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request.
All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability.”
The company said Atlassian Cloud sites are not affected by this issue.
The disclosure of a new critical-severity issue from Atlassian follows the documentation of in-the-wild attacks hitting the Australian company’s widely deployed Confluence software product.
This year alone, the U.S. government’s cybersecurity response agency CISA has listed four distinct Atlassian software flaws in its KEV (Known Exploited Vulnerabilities) catalog
Related: Atlassian Patches Critical Authentication Bypass Vulnerability in Jira
Related: Atlassian Confluence Servers Hacked via Zero-Day Vulnerability
Related: Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak
Related: Atlassian Patches Confluence Zero-Day as Exploitation Attempts Surge
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Backslash Snags $8M Seed Financing for AppSec Tech
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
