Pierluigi Paganini November 18, 2022

Atlassian addressed this week two critical vulnerabilities impacting its Crowd and Bitbucket products.

Atlassian announced the release of security updates to address critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.

The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.

The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if mesh.enabled is set to false in bitbucket.properties.

“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.” reads the advisory published by the vendor.

The second critical vulnerability addressed by Atlassian, tracked as CVE-2022-43782 (CVSS score of 9/10), is a security misconfiguration issue.

An attacker connecting from IP in the allow list can trigger the vulnerability to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.” reads the advisory. 

The flaw was introduced in Crowd 3.0.0, it affects all versions released after 3.0.0 but only if both of the following conditions are met:

• the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.
  • A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since
• an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

Summarizing, all new installations running any of the following versions are impacted:

• Crowd 3.0.0 – Crowd 3.7.2
• Crowd 4.0.0 – Crowd 4.4.3
• Crowd 5.0.0 – Crowd 5.0.2

Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.

The advisory provides instructions to check if an instance was compromised along with mitigation that can be applied if it is not possible to immediately upgrade Crowd.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bitbucket Server)

[adrotate banner=”5″]

[adrotate banner=”13″]