Atlassian has rolled out fixes for a critical security flaw in Bitbucket Server and Data Heart that could guide to the execution of malicious code on susceptible installations.
Tracked as CVE-2022-36804 (CVSS score: 9.9), the issue has been characterised as a command injection vulnerability in many endpoints that could be exploited by means of specifically crafted HTTP requests.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“An attacker with accessibility to a community Bitbucket repository or with go through permissions to a private a single can execute arbitrary code by sending a destructive HTTP request,” Atlassian mentioned in an advisory.
The shortcoming, found and described by security researcher @TheGrandPew impacts all versions of Bitbucket Server and Datacenter launched right after 6.10.17, inclusive of 7.. and newer –
- Bitbucket Server and Datacenter 7.6
- Bitbucket Server and Datacenter 7.17
- Bitbucket Server and Datacenter 7.21
- Bitbucket Server and Datacenter 8.
- Bitbucket Server and Datacenter 8.1
- Bitbucket Server and Datacenter 8.2, and
- Bitbucket Server and Datacenter 8.3
As a non permanent workaround in eventualities wherever the patches cannot be utilized ideal away, Atlassian is recommending turning off community repositories using “aspect.general public.accessibility=untrue” to protect against unauthorized end users from exploiting the flaw.
“This can not be considered a total mitigation as an attacker with a consumer account could nevertheless succeed,” it cautioned, indicating it could be leveraged by risk actors who are now in possession of legitimate credentials attained by way of other suggests.
Customers of afflicted variations of the application are proposed to enhance their scenarios to the most up-to-date model as soon as attainable to mitigate prospective threats.
Located this article attention-grabbing? Comply with THN on Fb, Twitter and LinkedIn to read through a lot more distinctive content we article.
Some areas of this posting are sourced from:
thehackernews.com