• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
atlassian releases patches for critical flaws affecting crowd and bitbucket

Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products

You are here: Home / General Cyber Security News / Atlassian Releases Patches for Critical Flaws Affecting Crowd and Bitbucket Products
November 19, 2022

Australian application corporation Atlassian has rolled out security updates to tackle two critical flaws influencing Bitbucket Server, Knowledge Middle, and Crowd products.

The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are equally rated 9 out of 10 on the CVSS vulnerability scoring technique.

CVE-2022-43781, which Atlassian claimed was launched in variation 7.. of Bitbucket Server and Information Middle, affects variations 7. to 7.21 and 8. to 8.4 (only if mesh.enabled is set to untrue in bitbucket.properties).

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The weak spot has been described as a case of command injection employing setting variables in the application, which could make it possible for an adversary with authorization to management their username to gain code execution on the impacted procedure.

As a short-term workaround, the corporation is recommending people change off the “General public Signup” selection (Administration > Authentication).

“Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated just one which would minimize the risk of exploitation,” it observed in an advisory. “ADMIN or SYS_ADMIN authenticated buyers nevertheless have the capacity to exploit the vulnerability when public signup is disabled.”

The next vulnerability, CVE-2022-43782, considerations a misconfiguration in Crowd Server and Facts Centre that could allow an attacker to invoke privileged API endpoints, but only in eventualities wherever the undesirable actor is connecting from an IP address extra to the Distant Tackle configuration.

Released in Crowd 3.. and identified in the course of an internal security overview, the shortcoming impacts all new installations, which means buyers who upgraded from a edition prior to Crowd 3.. are not vulnerable.

It really is not uncommon for flaws in Atlassian and Bitbucket to be subjected to energetic exploitation in the wild, making it crucial that buyers go immediately to use the patches.

Final month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a command injection flaw in Bitbucket Server and Information Centre (CVE-2022-36804, CVSS score: 9.9) was becoming weaponized in attacks considering that late September 2022.

Observed this write-up appealing? Follow THN on Fb, Twitter  and LinkedIn to examine far more distinctive material we submit.


Some pieces of this report are sourced from:
thehackernews.com

Previous Post: «the it pro podcast: how secure is metaverse tech? The IT Pro Podcast: How secure is metaverse tech?
Next Post: Chinese ‘Mustang Panda’ Hackers Actively Targeting Governments Worldwide chinese 'mustang panda' hackers actively targeting governments worldwide»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.