Urgent correction of Atlassian ships

Atlassian Ships Urgent Patch for Critical Bitbucket Vulnerability:

Atlassian’s security response team has issued an urgent advisory to warn of a critical command

injection flaw in its Bitbucket Server and Data Center product.

The vulnerability carries a CVSS severity score of 9.9 out of 10 and can be exploited remotely to launch

code execution attacks, Atlassian said.

Atlassian said the security defect, tracked as CVE-2022-36804, was introduced in version 7.0.0 of

Bitbucket Server and Data Center.

From the alert:

"There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data

Center. An attacker with access to a public Bitbucket repository or with read permissions to a private

one can execute arbitrary code by sending a malicious HTTP request.

All versions released after 6.10.17 including 7.0.0 and newer are affected, this means that all

instances that are running any versions between 7.0.0 and 8.3.0 inclusive can be exploited by this

vulnerability. &Quote.

The company said Atlassian Cloud sites are not affected by this issue.  

The disclosure of a new critical-severity issue from Atlassian follows the documentation of in-the-wild

attacks hitting the Australian company’s widely deployed Confluence software product.

This year alone, the U.S. government’s cybersecurity response agency CISA has listed four distinct

Atlassian software flaws in its KEV (Known Exploited Vulnerabilities) catalog

Related:  Atlassian Patches Critical Authentication Bypass Vulnerability in Jira

Related:  Atlassian Confluence Servers Hacked via Zero-Day Vulnerability

Related:  Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak

Related:  Atlassian Patches Confluence Zero-Day as Exploitation Attempts Surge

source: https://cyware.com/cyber-security-news-articles