Security News > 2022 > August > Critical Vulnerability Discovered in Atlassian Bitbucket Server and Data Center
Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Center that could lead to the execution of malicious code on vulnerable installations.
Tracked as CVE-2022-36804, the issue has been characterized as a command injection vulnerability in multiple endpoints that could be exploited via specially crafted HTTP requests.
"An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request," Atlassian said in an advisory.
As a temporary workaround in scenarios where the patches cannot be applied right away, Atlassian is recommending turning off public repositories using "Feature.public.access=false" to prevent unauthorized users from exploiting the flaw.
"This can not be considered a complete mitigation as an attacker with a user account could still succeed," it cautioned, meaning it could be leveraged by threat actors who are already in possession of valid credentials obtained through other means.
Users of affected versions of the software are recommended to upgrade their instances to the latest version as soon as possible to mitigate potential threats.
News URL
https://thehackernews.com/2022/08/critical-vulnerability-discovered-in.html
Related news
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- AI framework vulnerability is being used to compromise enterprise servers (CVE-2023-48022) (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-25 | CVE-2022-36804 | Unspecified vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |