November 20, 2022
Atlassian Critical Bitbucket RCE Vulnerability Exists in the Wild
Atlassian has released security patches to address two critical vulnerabilities in Bitbucket Server, Data Center, and Crowd.
An attacker might be able to execute remote code (RCE) by exploiting one of the vulnerabilities.
- CVE-2022-43781, Critical (CVSS 3.1: 9.0) -Environment variable-based command injection vulnerability, might allow a malicious actor with permission to control their username to gain code execution on the affected system.
- CVE-2022-43782, Critical (CVSS 3.1: 9.0) – misconfiguration that allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.
- CVE-2022-43781 – The vulnerability affects wide variety of Bitbucket Server and Data Center versions. the full list appears in the advisory.
- Crowd 3.0.0 to Crowd 3.7.2.
- Crowd 4.0.0 to Crowd 4.4.3.
- Crowd 5.0.0 to Crowd 5.0.2.
- CVE-2022-43781 – Users who are unable to upgrade to the fixed versions should disable “Public Signup”, which would require the attacker to authenticate using valid credentials, which reduces the risk of exploitation.
ADMIN and SYS_ADMIN users can still exploit the flaw under this configuration, so it should be treated as a temporary mitigation measure.
- CVE-2022-43782 – Users who are unable to upgrade to the fixed versions should temporarily mitigate the issue by removing or validating any remote addresses for the Crowd product’s crowd application or change password for the crowd application to a stronger one, which is especially important if you can’t remove the remote addresses.