Atlassian fixed 2 critical flaws in Crowd and Bitbucket products – Security Affairs

Atlassian announced the release of security updates to address critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.
The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.
The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if mesh.enabled is set to false in bitbucket.properties.
“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.” reads the advisory published by the vendor.
The second critical vulnerability addressed by Atlassian, tracked as CVE-2022-43782 (CVSS score of 9/10), is a security misconfiguration issue.
An attacker connecting from IP in the allow list can trigger the vulnerability to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.
“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.” reads the advisory
The flaw was introduced in Crowd 3.0.0, it affects all versions released after 3.0.0 but only if both of the following conditions are met:
Summarizing, all new installations running any of the following versions are impacted:
Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.
The advisory provides instructions to check if an instance was compromised along with mitigation that can be applied if it is not possible to immediately upgrade Crowd.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Bitbucket Server)









source

Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Post expires at 11:34am on Tuesday February 21st, 2023

Leave a Reply

Next Post

This $5.99 T-shirt will get you free Denny's breakfast for a year - CNN

Mon Nov 21 , 2022
This $5.99 T-shirt will get you free Denny’s breakfast for a year  CNNsource— Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing… Post expires at 11:34am on Tuesday February 21st, 2023
%d bloggers like this: