Atlassian announced the release of security updates to address critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.
The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.
The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if mesh.enabled is set to false in bitbucket.properties.
“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.” reads the advisory published by the vendor.
The second critical vulnerability addressed by Atlassian, tracked as CVE-2022-43782 (CVSS score of 9/10), is a security misconfiguration issue.
An attacker connecting from IP in the allow list can trigger the vulnerability to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.
“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.” reads the advisory.
The flaw was introduced in Crowd 3.0.0, it affects all versions released after 3.0.0 but only if both of the following conditions are met:
Summarizing, all new installations running any of the following versions are impacted:
Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.
The advisory provides instructions to check if an instance was compromised along with mitigation that can be applied if it is not possible to immediately upgrade Crowd.
(SecurityAffairs – hacking, Bitbucket Server)