Atlassian issued corrections for two critical vulnerabilities affecting the Bitbucket Server, Data Center and Crowd. Breeshs in protection are monitored under the identifiers CVE-2022-43781 and CVE-2022-43782 and have an assessment of 9 of the 10th scale CVSS:
CVE-2022-4378 allows a remote attacker to execute an arbitrary code by injection of commands through variables of the environment in two cases:
If the server includes public registration
If the attacker is authenticated and can change the user name (i.e. has the rights of Admin or Sys_admin)
Vulnerability affects the Bitbucket Server version from 7.0 to 7.21 and from 8.0 to 8.4. As a temporary bypass track, Atlassian offers users to disable the Allow Public Signup settings.
CVE-2022-43782 is associated with an incorrect configuration in Crowd Server and Data Center. Vulnerability allows the hacker to cause privileged end points of the API, but only in those scenarios when the attacker connects to the IP address added to the configuration of remote addresses.
It is worth noting that the second vulnerability was revealed during the internal security check of Atlassian. This gap in defense affects only users of newer versions – who has CROWD 3.0.0 and higher.