Atlassian released patches for two critical vulnerabilities affecting Bitbucket Server, Data Center, and Crowd products. These vulnerabilities are tracked as CVE-2022-43781 (Command Injection) and CVE-2022-43782 (Improper Authentication).
CVE-2022-43781 – A Command Injection vulnerability is addressed in Atlassian Bitbucket Server and Data Center in environment variables. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the affected system.
CVE-2022-43782 – An Improper Authentication vulnerability is addressed in Atlassian Crowd in Crowd’s REST API under the user management path. This misconfiguration allows an attacker to connect remotely without providing a password and lets an attacker authenticate as the Crowd Application and call privileged endpoints. The vulnerability can be exploited by adding the remote IP to an included list of allowed IPs, a deviation from the default setting.
- Atlassian Bitbucket Server and Data Center from 7.0.0 before 7.6.19
- Atlassian Bitbucket Server and Data Center from 7.7.0 before 7.17.12
- Atlassian Bitbucket Server and Data Center from 7.18.0 before 7.21.6
- Atlassian Bitbucket Server and Data Center from 8.0.0 before 8.0.5
- Atlassian Bitbucket Server and Data Center from 8.1.0 before 8.1.5
- Atlassian Bitbucket Server and Data Center from 8.2.0 before 8.2.4
- Atlassian Bitbucket Server and Data Center from 8.3.0 before 8.3.3
- Atlassian Bitbucket Server and Data Center from 8.4.0 before 8.4.2
Note: 8.x version series is only affected if “mesh.enabled” is set to false in “bitbucket.properties”.
- Atlassian Crowd from 3.0.0 before 4.4.4
- Atlassian Crowd from 5.0.0 before 5.0.3
Note: 3.0.0 has reached EOL and hence no version is published to fix the issue in this range.
A fixed version of the affected product has been released. 7.6.19, 7.17.12, 7.21.6, 8.0.5, 8.1.5, 8.2.4, 8.3.3, 8.4.2, 8.5.0 or later are fixed versions.
Version 4.4.4 and 5.0.3 are known to address this issue.
If you cannot upgrade the Bitbucket instance, disable “Public Signup.” This will reduce the risk of exploitation by changing the attack vector from an unauthenticated attack to an authenticated one.
To disable this setting:
- Go to Administration > Authentication.
- Clear the Allow public sign-up checkbox.
Note : This is a temporary mitigation measure as ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. Therefore, it is recommended to upgrade to a fixed version as soon as possible.
If you cannot upgrade Crowd, ensure the crowd application is not configured for remote access.
This can be achieved by following the below steps:
- Log in to the Crowd Administration Console.
- In the top navigation bar, click Applications.
- In the Application Browser, click the application name you wish to update.
- In the View Application screen, click the Remote Addresses tab. You will see a list of IP addresses and hostnames currently mapped to the application.
- Remove any remote addresses accordingly.
If a remote IP is necessary, set a strong password for your crowd application.