Security News > 2022 > October > Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree
2022-10-04 00:31

The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list.

CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.

Atlassian disclosed the vulnerability August 24, saying it affected both the Server and Data Center builds of its Git-based source code management tool.

"There has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available," they wrote before the reports of exploitation attempts arose, foretelling the future.

"Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse-engineer, it's likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon."

Also added to CISA's list are the two zero-day vulnerabilities in Microsoft Exchange Server.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/04/atlassian_microsoft_cisa_flaws/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-25 CVE-2022-36804 Unspecified vulnerability in Atlassian Bitbucket
Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
network
low complexity
atlassian
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400
Atlassian 58 3 259 104 46 412