The United States Cybersecurity and Infrastructure Security Agency (CISA) is warning of the active exploitation of a recent Atlassian Bitbucket vulnerability and two Microsoft Exchange zero-days.
Atlassian Bitbucket is a Git-based repository management solution that provides source code hosting and sharing capabilities.
Tracked as CVE-2022-36804 (CVSS score of 9.9), the now-exploited vulnerability is described as a command injection bug that impacts multiple API endpoints of Bitbucket Server and Data Center.
“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian explains.
The issue impacts all Bitbucket versions released after 6.10.17, meaning that “any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this vulnerability,” the company notes in its advisory.
Atlassian released a patch for this security flaw in August 2022, but it appears that not all Bitbucket users updated their deployments, and exploitation of this security bug started at least two weeks ago.
“We at have been observing active scanning and exploitation of the just announced CVE-2022-36804 – this CVE affects Atlassian Bitbucket,” tweeted on September 23 Tiago Henriques, founder of Coalition-owned BinaryEdge.
Data from threat intelligence firm GreyNoise also shows malicious exploitation attempts in late September.
CISA on Friday announced that it has added CVE-2022-36804 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
Also on Friday, CISA added to the KEV list two Microsoft Exchange zero-days that were made public last week, and which are tracked as CVE-2022-41040 (server-side request forgery – SSRF) and CVE-2022-41082 (remote code execution).
Successful exploitation of the two flaws – which are named ProxyNotShell, due to similarities with the Exchange Server flaw called ProxyShell – requires authenticated access to a vulnerable server.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until October 21 to address these three vulnerabilities within their networks.
Related: CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation
Related: CISA Clarifies Criteria for Adding Vulnerabilities to ‘Must Patch’ List
Related: CISA: Vulnerability in Delta Electronics ICS Software Exploited in Attacks
More from Ionut Arghire
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
Latest News
- Burnout in Cybersecurity – Can it be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
