Australian software program firm Atlassian has rolled out safety updates to deal with two crucial flaws affecting Bitbucket Server, Data Center, and Crowd merchandise.
The points, tracked as CVE-2022-43781 and CVE-2022-43782, are each rated 9 out of 10 on the CVSS vulnerability scoring system.
CVE-2022-43781, which Atlassian mentioned was launched in model 7.0.0 of Bitbucket Server and Data Center, impacts variations 7.0 to 7.21 and eight.0 to eight.4 (provided that mesh.enabled is about to false in bitbucket.properties).
The weak spot has been described as a case of command injection utilizing atmosphere variables within the software program, which may permit an adversary with permission to regulate their username to achieve code execution on the affected system.
As a brief workaround, the corporate is recommending customers flip off the “Public Signup” possibility (Administration > Authentication).
“Disabling public signup would change the assault vector from an unauthenticated assault to an authenticated one which would scale back the chance of exploitation,” it famous in an advisory. “ADMIN or SYS_ADMIN authenticated customers nonetheless have the flexibility to use the vulnerability when public signup is disabled.”
The second vulnerability, CVE-2022-43782, considerations a misconfiguration in Crowd Server and Data Center that would allow an attacker to invoke privileged API endpoints, however solely in eventualities the place the unhealthy actor is connecting from an IP deal with added to the Remote Address configuration.
Introduced in Crowd 3.0.0 and recognized throughout an inner safety evaluate, the shortcoming impacts all new installations, that means customers who upgraded from a model previous to Crowd 3.0.0 are usually not susceptible.
It’s not unusual for flaws in Atlassian and Bitbucket to be subjected to energetic exploitation within the wild, making it crucial that customers transfer rapidly to use the patches.
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned {that a} command injection flaw in Bitbucket Server and Data Center (CVE-2022-36804, CVSS rating: 9.9) was being weaponized in assaults since late September 2022.