Atlassian launched critical-severity patches for identity management solution Crowd Server and Data Center and repository management platform Bitbucket Server and Data Center.
Both security flaws have a severity rating of 9 and affect numerous versions of the products. The Crowd Server and Data Center issue is tracked as CVE-2022-43782 and consists of a misconfiguration that lets an attacker evade password checks while identifying as the Crowd app and visiting privileged API endpoints.
Introduced in 3.0
According to Atlassian, exploitation is conceivable under certain conditions. One is modifying the Remote Address setup to include an authorized IP address, which differs from the default setting (none).
In a security alert, Atlassian warns that this could allow attackers to reach endpoints in Crowd’s REST API under the user management path. Crowd versions 3.0.0 to 3.7.2, 4.0.0 to 4.4.3, and 5.0.0 to 5.0.2 are affected. Crowd versions 5.0.3 and 4.4.4 are unaffected.
Atlassian will not repair the issue in version 3.0.0 since the release reached the end-of-life support stage.
As always, update immediately
The vulnerability impacting Bitbucket Server and Data Center was initiated in product version 7.0 and is known as CVE-2022-43781. The flaw is a command injection bug that allows an attacker with access to the targeted system’s username to execute code in certain situations.
Any versions from 7.0 through 7.21 are impacted irrespective of configurations. Versions 8.0 through 8.4 are only impacted when the ‘mesh.enabled’ function is deactivated in ‘bitbucket.properties’.
CVE-2022-43781 does not affect PostgreSQL instances or those hosted by Atlassian (accessed using a bitbucket.org domain). Users unable to update to the fixed versions should deactivate ‘Public Signup’, which requires the hacker to verify using genuine credentials, lowering the likelihood of attack.