Security News > 2022 > August > Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers

Critical hole in Atlassian Bitbucket allows any miscreant to hijack servers
2022-08-29 18:08

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.

As Atlassian explains in its security advisory, published mid-last week: "An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request."

Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too.

If you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation.

Last month, Atlassian warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of years-old, critical flaws threaten their security.

In June, Atlassian copped to another critical flaw in Confluence that was under active attack.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/29/atlassian_bitbucket_critical_bug/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 3 259 104 46 412