Tuesday, November 29, 2022
HomeCyber SecurityAtlassian Releases Patches for Crucial Flaws Affecting Crowd and Bitbucket Merchandise

Atlassian Releases Patches for Crucial Flaws Affecting Crowd and Bitbucket Merchandise

Australian software program firm Atlassian has rolled out safety updates to deal with two essential flaws affecting Bitbucket Server, Knowledge Middle, and Crowd merchandise.

The problems, tracked as CVE-2022-43781 and CVE-2022-43782, are each rated 9 out of 10 on the CVSS vulnerability scoring system.

CVE-2022-43781, which Atlassian mentioned was launched in model 7.0.0 of Bitbucket Server and Knowledge Middle, impacts variations 7.0 to 7.21 and eight.0 to eight.4 (provided that mesh.enabled is ready to false in bitbucket.properties).

The weak point has been described as a case of command injection utilizing atmosphere variables within the software program, which may enable an adversary with permission to manage their username to realize code execution on the affected system.

As a short lived workaround, the corporate is recommending customers flip off the “Public Signup” possibility (Administration > Authentication).

“Disabling public signup would change the assault vector from an unauthenticated assault to an authenticated one which would cut back the chance of exploitation,” it famous in an advisory. “ADMIN or SYS_ADMIN authenticated customers nonetheless have the flexibility to use the vulnerability when public signup is disabled.”

The second vulnerability, CVE-2022-43782, issues a misconfiguration in Crowd Server and Knowledge Middle that might allow an attacker to invoke privileged API endpoints, however solely in situations the place the dangerous actor is connecting from an IP handle added to the Distant Handle configuration.

Launched in Crowd 3.0.0 and recognized throughout an inner safety assessment, the shortcoming impacts all new installations, which means customers who upgraded from a model previous to Crowd 3.0.0 are usually not susceptible.

It is not unusual for flaws in Atlassian and Bitbucket to be subjected to lively exploitation within the wild, making it crucial that customers transfer shortly to use the patches.

Final month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned {that a} command injection flaw in Bitbucket Server and Knowledge Middle (CVE-2022-36804, CVSS rating: 9.9) was being weaponized in assaults since late September 2022.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments