Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability

The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.

Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.

The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.

Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.

Tracked as CVE-2022-36804 (CVSS score of 9.9), the now-exploited vulnerability is described as a command injection bug that impacts multiple API endpoints of Bitbucket Server and Data Center.

“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian explains.

The issue impacts all Bitbucket versions released after 6.10.17, meaning that “any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability,” the company notes in its advisory.

Atlassian released a patch for this security flaw in August 2022, but it appears that not all Bitbucket users updated their deployments, and exploitation of this security bug started at least two weeks ago.

“We at have been observing active scanning and exploitation of the just announced CVE-2022-36804 – this CVE affects Atlassian Bitbucket,” tweeted on September 23 Tiago Henriques, founder of Coalition-owned BinaryEdge.

Data from threat intelligence firm GreyNoise also shows malicious exploitation attempts in late September.

CISA on Friday announced that it has added CVE-2022-36804 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Also on Friday, CISA added to the KEV list two Microsoft Exchange zero-days that were made public last week, and which are tracked as CVE-2022-41040 (server-side request forgery – SSRF) and CVE-2022-41082 (remote code execution).

Successful exploitation of the two flaws – which are named ProxyNotShell, due to similarities with the Exchange Server flaw called ProxyShell – requires authenticated access to a vulnerable server.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until October 21 to address these three vulnerabilities within their networks.

Related: CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation

Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

Related: CISA: Vulnerability in ​​Delta Electronics ICS Software Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.