Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability

The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.

Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.

The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.

Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.

Tracked as CVE-2022-36804 (CVSS score of 9.9), the now-exploited vulnerability is described as a command injection bug that impacts multiple API endpoints of Bitbucket Server and Data Center.

“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian explains.

The issue impacts all Bitbucket versions released after 6.10.17, meaning that “any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability,” the company notes in its advisory.

Atlassian released a patch for this security flaw in August 2022, but it appears that not all Bitbucket users updated their deployments, and exploitation of this security bug started at least two weeks ago.

“We at have been observing active scanning and exploitation of the just announced CVE-2022-36804 – this CVE affects Atlassian Bitbucket,” tweeted on September 23 Tiago Henriques, founder of Coalition-owned BinaryEdge.

Data from threat intelligence firm GreyNoise also shows malicious exploitation attempts in late September.

Advertisement. Scroll to continue reading.

CISA on Friday announced that it has added CVE-2022-36804 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

Also on Friday, CISA added to the KEV list two Microsoft Exchange zero-days that were made public last week, and which are tracked as CVE-2022-41040 (server-side request forgery – SSRF) and CVE-2022-41082 (remote code execution).

Successful exploitation of the two flaws – which are named ProxyNotShell, due to similarities with the Exchange Server flaw called ProxyShell – requires authenticated access to a vulnerable server.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until October 21 to address these three vulnerabilities within their networks.

Related: CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation

Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List

Related: CISA: Vulnerability in ​​Delta Electronics ICS Software Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.