Security News > 2022 > October > Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree
The Cybersecurity and Infrastructure Security Agency late on Friday placed the flaw - tracked as CVE-2022-36804 - on its catalog of Known Exploited Vulnerabilities, effectively a must-patch list.
CISA put the vulnerability in Bitbucket Server and Data Center tools on the KEV list on the same day as two high-profile Microsoft Exchange zero-day flaws.
Atlassian disclosed the vulnerability August 24, saying it affected both the Server and Data Center builds of its Git-based source code management tool.
"There has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available," they wrote before the reports of exploitation attempts arose, foretelling the future.
"Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse-engineer, it's likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon."
Also added to CISA's list are the two zero-day vulnerabilities in Microsoft Exchange Server.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/10/04/atlassian_microsoft_cisa_flaws/
Related news
- CISA Alerts to Active Exploitation of Critical Palo Alto Networks Vulnerability (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch Released (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel (source)
- Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-08-25 | CVE-2022-36804 | Unspecified vulnerability in Atlassian Bitbucket Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. | 8.8 |