Security News > 2022 > November > Atlassian fixes critical command injection bug in Bitbucket Server

Atlassian fixes critical command injection bug in Bitbucket Server
2022-11-18 11:59

Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management.

Rated critical, the issue in Crowd Server and Data Center is tracked as CVE-2022-43782 and is a misconfiguration that allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

The issue impacts Crowd versions 3.0.0 to 3.7.2, 4.0.0 to 4.4.3, and 5.0.0 to 5.0.2.

Atlassian will not fix the flaw in version 3.0.0 of the product because it reached end of life and support.

The flaw affecting Bitbucket Server and Data Center was introduced in version 7.0 of the product and is identified as CVE-2022-43781.

All versions from 7.0 to 7.21 are affected regardless of their configuration as well as versions 8.0 through 8.4 where the "Mesh.enabled" function is disabled under "Bitbucket.properties."


News URL

https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-command-injection-bug-in-bitbucket-server/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-11-17 CVE-2022-43782 Unspecified vulnerability in Atlassian Crowd
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
network
low complexity
atlassian
critical
9.8
2022-11-17 CVE-2022-43781 Command Injection vulnerability in Atlassian Bitbucket
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center.
network
low complexity
atlassian CWE-77
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 56 291 40 34 421