Atlassian patched CVE-2022-43781 in the Bitbucket source code repository hosting service, a significant command injection vulnerability that affects Bitbucket Server and Data Center versions 7 and, in certain situations, 8.
"There is a command injection vulnerability in Bitbucket Server and Data Center that makes use of environment variables."
An attacker with access to their account may leverage this flaw to acquire code execution and execute code on the system, according to Atlassian.
Both BitBucket 7 and 8 have received updates that address the problem.
Sites hosted by Atlassian Cloud are unaffected.
Atlassian resolved CVE-2022-43782, a major security misconfiguration problem impacting all versions beginning with 3.0.0, in the case of Crowd, an application security framework that manages authentication and permission for web-based applications.
"The flaw enables an attacker connecting from an IP address in the allow list to login as the crowd application by avoiding a password check."
"The attacker would be able to reach privileged endpoints in Crowd's REST API through the usermanagement route," Atlassian stated.
While this security flaw has been classed as 'serious,' it can only be abused via IP addresses on the Crowd application's allowlist in the Remote Addresses setup.
Furthermore, it only affects new installs; customers who upgraded from a version earlier to 3.0.0 are unaffected.
There seems to be no indication of hostile exploitation – the vulnerability was found internally by Atlassian — although indicators of compromise (IoCs) for CVE-2022-43782 have also been made public.
Threat actors often use vulnerabilities in Atlassian products in their assaults.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning last month that a Bitbucket vulnerability fixed in August had been targeted in assaults.
Exploitation efforts began weeks after updates were made available.