Security News > 2022 > November > Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products
2022-11-19 04:30

Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products.

CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center, affects versions 7.0 to 7.21 and 8.0 to 8.4.

The second vulnerability, CVE-2022-43782, concerns a misconfiguration in Crowd Server and Data Center that could permit an attacker to invoke privileged API endpoints, but only in scenarios where the bad actor is connecting from an IP address added to the Remote Address configuration.

Introduced in Crowd 3.0.0 and identified during an internal security review, the shortcoming impacts all new installations, meaning users who upgraded from a version prior to Crowd 3.0.0 are not vulnerable.

It's not uncommon for flaws in Atlassian and Bitbucket to be subjected to active exploitation in the wild, making it imperative that users move quickly to apply the patches.

Last month, the U.S. Cybersecurity and Infrastructure Security Agency warned that a command injection flaw in Bitbucket Server and Data Center was being weaponized in attacks since late September 2022.


News URL

https://thehackernews.com/2022/11/atlassian-releases-patches-for-critical.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-11-17 CVE-2022-43782 Unspecified vulnerability in Atlassian Crowd
Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the {{usermanagement}} path. This vulnerability can only be exploited by IPs specified under the crowd application allowlist in the Remote Addresses configuration, which is {{none}} by default. The affected versions are all versions 3.x.x, versions 4.x.x before version 4.4.4, and versions 5.x.x before 5.0.3
network
low complexity
atlassian
critical
9.8
2022-11-17 CVE-2022-43781 Command Injection vulnerability in Atlassian Bitbucket
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center.
network
low complexity
atlassian CWE-77
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Atlassian 58 3 259 104 46 412