The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a not too long ago disclosed important flaw impacting Atlassian’s Bitbucket Server and Knowledge Heart to the Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2022-36804, the difficulty pertains to a command injection vulnerability that would permit malicious actors to achieve arbitrary code execution on prone installations by sending a specifically crafted HTTP request.
Profitable exploitation, nevertheless, banks on the prerequisite that the attacker already has entry to a public repository or possesses learn permissions to a personal Bitbucket repository.
“All variations of Bitbucket Server and Datacenter launched after 6.10.17 together with 7.0.0 and newer are affected, which means that all situations which can be working any variations between 7.0.0 and eight.3.0 inclusive are affected by this vulnerability,” Atlassian famous in a late August 2022 advisory.
CISA didn’t present additional particulars about how the flaw is being exploited and the way widespread exploitation efforts are, however GreyNoise stated it detected proof of in-the-wild on September 20 and 23.
As countermeasures, all Federal Civilian Government Department (FCEB) businesses are required to remediate the vulnerabilities by October 21, 2022 to guard networks towards energetic threats.