Security News > 2022 > August > Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.
As Atlassian explains in its security advisory, published mid-last week: "An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request."
Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too.
If you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation.
Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security.
In June, Atlassian copped to another critical flaw in Confluence that was under active attack.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/29/atlassian_bitbucket_critical_bug/