Atlassian informed customers this week that it has patched critical vulnerabilities in its Crowd and Bitbucket products.
In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8.
“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system,” Atlassian explained.
Updates that patch the flaw have been released for both BitBucket 7 and 8. Atlassian Cloud sites are not affected.
In the case of Crowd, an application security framework that handles authentication and authorization for web-based applications, Atlassian fixed CVE-2022-43782, a critical security misconfiguration issue affecting all versions starting with 3.0.0.
“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path,” Atlassian explained.
While this security hole has been rated ‘critical’, it can only be exploited by IPs in the Crowd application’s allowlist in the Remote Addresses configuration. In addition, it only impacts new installations — users who have updated their installation from a version prior to 3.0.0 are not affected.
There does not appear to be any evidence of malicious exploitation — the vulnerability was discovered internally by Atlassian — but indicators of compromise (IoCs) have also been made available for CVE-2022-43782.
It’s not uncommon for threat actors to exploit vulnerabilities in Atlassian products in their attacks.
Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a Bitbucket vulnerability patched in August had been targeted in attacks. Exploitation attempts started weeks after patches were released.