Australian software program firm Atlassian has rolled out safety updates to handle two important flaws affecting Bitbucket Server, Information Heart, and Crowd merchandise.
The problems, tracked as CVE-2022-43781 and CVE-2022-43782, are each rated 9 out of 10 on the CVSS vulnerability scoring system.
CVE-2022-43781, which Atlassian stated was launched in model 7.0.0 of Bitbucket Server and Information Heart, impacts variations 7.0 to 7.21 and eight.0 to eight.4 (provided that mesh.enabled is about to false in bitbucket.properties).
The weak point has been described as a case of command injection utilizing setting variables within the software program, which may enable an adversary with permission to manage their username to achieve code execution on the affected system.
As a short lived workaround, the corporate is recommending customers flip off the “Public Signup” possibility (Administration > Authentication).
“Disabling public signup would change the assault vector from an unauthenticated assault to an authenticated one which would scale back the danger of exploitation,” it famous in an advisory. “ADMIN or SYS_ADMIN authenticated customers nonetheless have the flexibility to use the vulnerability when public signup is disabled.”
The second vulnerability, CVE-2022-43782, issues a misconfiguration in Crowd Server and Information Heart that would allow an attacker to invoke privileged API endpoints, however solely in eventualities the place the dangerous actor is connecting from an IP tackle added to the Distant Tackle configuration.
Launched in Crowd 3.0.0 and recognized throughout an inner safety assessment, the shortcoming impacts all new installations, that means customers who upgraded from a model previous to Crowd 3.0.0 are usually not weak.
It isn’t unusual for flaws in Atlassian and Bitbucket to be subjected to lively exploitation within the wild, making it crucial that customers transfer rapidly to use the patches.
Final month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned {that a} command injection flaw in Bitbucket Server and Information Heart (CVE-2022-36804, CVSS rating: 9.9) was being weaponized in assaults since late September 2022.
