Australian software program firm Atlassian has rolled out safety updates to handle two important flaws affecting Bitbucket Server, Information Heart, and Crowd merchandise.
The problems, tracked as CVE-2022-43781 and CVE-2022-43782, are each rated 9 out of 10 on the CVSS vulnerability scoring system.
CVE-2022-43781, which Atlassian stated was launched in model 7.0.0 of Bitbucket Server and Information Heart, impacts variations 7.0 to 7.21 and eight.0 to eight.4 (provided that mesh.enabled is about to false in bitbucket.properties).
The weak spot has been described as a case of command injection utilizing setting variables within the software program, which might permit an adversary with permission to manage their username to realize code execution on the affected system.
As a brief workaround, the corporate is recommending customers flip off the “Public Signup” choice (Administration > Authentication).
“Disabling public signup would change the assault vector from an unauthenticated assault to an authenticated one which would scale back the chance of exploitation,” it famous in an advisory. “ADMIN or SYS_ADMIN authenticated customers nonetheless have the flexibility to use the vulnerability when public signup is disabled.”
The second vulnerability, CVE-2022-43782, considerations a misconfiguration in Crowd Server and Information Heart that would allow an attacker to invoke privileged API endpoints, however solely in situations the place the dangerous actor is connecting from an IP tackle added to the Distant Deal with configuration.
Launched in Crowd 3.0.0 and recognized throughout an inside safety evaluation, the shortcoming impacts all new installations, which means customers who upgraded from a model previous to Crowd 3.0.0 should not weak.
It is not unusual for flaws in Atlassian and Bitbucket to be subjected to lively exploitation within the wild, making it crucial that customers transfer shortly to use the patches.
Final month, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) warned {that a} command injection flaw in Bitbucket Server and Information Heart (CVE-2022-36804, CVSS rating: 9.9) was being weaponized in assaults since late September 2022.