Atlassian Critical Bitbucket RCE Vulnerability Exists in the Wild

November 20, 2022

Atlassian Critical Bitbucket RCE Vulnerability Exists in the Wild

Atlassian has released security patches to address two critical vulnerabilities in Bitbucket Server, Data Center, and Crowd.

An attacker might be able to execute remote code (RCE) by exploiting one of the vulnerabilities.

The Vulnerabilities

  • CVE-2022-43781, Critical (CVSS 3.1: 9.0) -Environment variable-based command injection vulnerability, might allow a malicious actor with permission to control their username to gain code execution on the affected system.
  • CVE-2022-43782, Critical (CVSS 3.1: 9.0) – misconfiguration that allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

Affected Products

  • CVE-2022-43781 – The vulnerability affects wide variety of Bitbucket Server and Data Center versions. the full list appears in the advisory.
  • CVE-2022-43782
    • Crowd 3.0.0 to Crowd 3.7.2.
    • Crowd 4.0.0 to Crowd 4.4.3.
    • Crowd 5.0.0 to Crowd 5.0.2.

Mitigation

CYREBRO recommends updating Bitbucket Server, Data Center, and Crowd to their latest available versions (Bitbucket, Crowd).

Workaround

  • CVE-2022-43781  – Users who are unable  to upgrade to the fixed versions should disable “Public Signup”, which would require the attacker to authenticate using valid credentials, which reduces the risk of exploitation.
    ADMIN and SYS_ADMIN users can still exploit the flaw under this configuration, so it should be treated as a temporary mitigation measure.
  • CVE-2022-43782 – Users who are unable to upgrade to the fixed versions should temporarily mitigate the issue by removing or validating any remote addresses for the Crowd product’s crowd application or change password for the crowd application to a stronger one, which is especially important if you can’t remove the remote addresses.

References: Bitbucket Advisory , Crowd Advisory

Sign Up for Updates