- Atlassian has fixed two flaws in its Bitbucket Server and Data Center products that are present in all versions since 7.0.0 and in its Crowd Server and Data Center 3.0.0 software.
- Both tracked vulnerabilities are rated 9 out of 10 on the CVSS vulnerability scoring system and Atlassian rates the severity level of these as critical in the related advisories.
- Atlassian urged its users to update each affected product installation to fixed versions. The company has listed fixed versions on the advisories of both flaws.
The Australian software company Atlassian released two security updates to fix critical-severity flaws in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, self-managed solutions that provide source code collaboration for professional teams.
Both rated at CVSS 9.0
The vulnerabilities are tracked as CVE-2022-43781 for Bitbucket Server and Data Center, and CVE-2022-43782 for Crowd Server and Data Center. Both of them are rated 9 out of 10 on the CVSS vulnerability scoring system. In the Bitbucket server and Datacenter, Atlassian fixed a critical command injection vulnerability that affects all versions 7.0 to 7.21 and, versions 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties. The advisory explains the bug as;
« There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system. »
The software company recommends its users upgrade each affected product installation to fixed versions or any later version. If a user is not able to update the affected product, a temporary mitigation step can be to disable “Public Signup”. According to the statement in the advisory, disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign-up checkbox. However, it is added that this should be a temporary solution as the ADMIN or SYS_ADMIN authenticated users still can exploit the vulnerability when public signup is disabled. The company says Atlassian Cloud sites are not affected.
Only new installations of Crowd affected
The vulnerability was introduced in Crowd Server version 3.0.0 which has been rated critical. It affects all versions released after 3.0.0 but only if both of the following conditions are met;
- The vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example, version 2.9.1, to version 3.0.0 or later, your instance is not affected.
- An IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)
The company explains the bug as a flaw that allows an attacker connecting from IP in the allow list to authenticate as the Crowd application by bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the user management path. It was discovered during an internal security review. Atlassian recommends upgrading the instance to one of the fixed versions.