Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

Teilen:

Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products.

The issues, tracked as CVE-2022-43781 und CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system.

CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center, affects versions 7.0 to 7.21 and 8.0 to 8.4 (only if mesh.enabled is set to false in bitbucket.properties).

The weakness has been described as a case of command injection using environment variables in the software, which could allow an adversary with permission to control their username to gain code execution on the affected system.

As a temporary workaround, the company is recommending users turn off the “Public Signup” option (Administration > Authentication).

“Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation,” it noted in an advisory. “ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled.”

The second vulnerability, CVE-2022-43782, concerns a misconfiguration in Crowd Server and Data Center that could permit an attacker to invoke privileged API endpoints, but only in scenarios where the bad actor is connecting from an IP address added to the Remote Address configuration.

Introduced in Crowd 3.0.0 and identified during an internal security review, the shortcoming impacts all new installations, meaning users who upgraded from a version prior to Crowd 3.0.0 are not vulnerable.

It’s not uncommon for flaws in Atlassian and Bitbucket to be subjected zu active exploitation in the wild, making it imperative that users move quickly to apply the patches.

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a command injection flaw in Bitbucket Server and Data Center (CVE-2022-36804, CVSS score: 9.9) was being weaponized in attacks since late September 2022.

https://thehackernews.com/2022/11/atlassian-releases-patches-for-critical.html

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
1:29 pm, Juli 11, 2025
Wetter-Symbol 30°C
L: 28° | H: 32°
wenige Wolken
Luftfeuchtigkeit: 41 %
Druck: 1020 mb
Wind: 6 mph NNE
Windböe: 9 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 13%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
28° | 32°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
30° | 31°°C 0 mm 0% 5 mph 37 % 1019 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
28° | 28°°C 0 mm 0% 5 mph 32 % 1018 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
Wetter-Symbol
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Tomorrow 1:00 pm
Wetter-Symbol
28° | 28°°C 0 mm 0% 7 mph 30 % 1015 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€100,979.92
6.47%
Ethereum(ETH)
€2,555.34
7.74%
Fesseln(USDT)
€0.86
-0.01%
XRP(XRP)
€2.26
7.92%
Solana(SOL)
€140.32
4.29%
USDC(USDC)
€0.86
-0.01%
Dogecoin(DOGE)
€0.170457
10.61%
Shiba Inu(SHIB)
€0.000011
8.20%
Pepe(PEPE)
€0.000011
15.71%
Peanut das Eichhörnchen(PNUT)
€0.248573
19.26%
Nach oben scrollen