Atlassian has patched a bug in its Bitbucket server and data centre products that’s present in all versions since 7.0.0, released in early 2020; and in its Crowd server and data centre 3.0.0 software.
BitBucket has a critical-rated command injection bug.
As the company’s advisory for CVE-2022-43781 states, the software has environment variables that can be exploited using crafted requests, giving an attacker the ability to execute code on the target system.
The attacker has to have the ability to control their own username.
The vulnerability affects Bitbucket Data Center and Server 7.0 to 7.21; and Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties.
Atlassian Cloud sites are not affected, the company said.
Fixes have been released for both the 7.x and 8.x branches.
Atlassian said a temporary mitigation for the bug is to disable public signup on a Bitbucket instance.
This changes the attack vector to limit it to authenticated attackers only.
“ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible”, the advisory stated.
New installations of Crowd 3.0.0 are affected by a security misconfiguration bug, CVE-2022-43782, but users who installed upgrades from previous versions to 3.0.0 are not affected.
New installations are affected if the IP address has been added to the Remote Address configuration of the application (versions after 3.0.0 set this to “none” by default”).
An attacker connecting from an IP in the “allow” list could bypass a password check, after which they could call privileged endpoints in Crowd’s REST API.
Users need to upgrade their Crowd instance to Crowd 3.7.2, Crowd 4.4.3, or Crowd 5.0.2.