Security News > 2022 > October > Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list.
CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.
Atlassian disclosed the vulnerability August 24, saying it affected both the Server and Data Center builds of its Git-based source code management tool.
"There has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available," they wrote before the reports of exploitation attempts arose, foretelling the future.
"Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse-engineer, it's likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon."
Also added to CISA's list are the two zero-day vulnerabilities in Microsoft Exchange Server.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/04/atlassian_microsoft_cisa_flaws/
Related news
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- CISA Warns of Active Exploitation in GitHub Action Supply Chain Compromise (source)
- CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-08-25 | CVE-2022-36804 | Argument Injection or Modification vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |