Atlassian fixed 2 critical flaws in Crowd and Bitbucket products

Atlassian addressed this week two critical vulnerabilities impacting its Crowd and Bitbucket products.

Atlassian announced the release of security updates to address critical-severity vulnerabilities in its identity management platform, Crowd Server and Data Center, and in the Bitbucket Server and Data Center, a self-managed solution that provides source code collaboration for professional teams.

The vulnerability in the Bitbucket source code repository hosting service, tracked as CVE-2022-43781, is a critical command injection vulnerability.

The vulnerability received a CVSS score of 9/10 and affects Bitbucket Server and Data Center version 7 and, and version 8 if mesh.enabled is set to false in bitbucket.properties.

“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.” reads the advisory published by the vendor.

The second critical vulnerability addressed by Atlassian, tracked as CVE-2022-43782 (CVSS score of 9/10), is a security misconfiguration issue.

An attacker connecting from IP in the allow list can trigger the vulnerability to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.

“The vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. This would allow the attacker to call privileged endpoints in Crowd’s REST API under the usermanagement path.” reads the advisory.

The flaw was introduced in Crowd 3.0.0, it affects all versions released after 3.0.0 but only if both of the following conditions are met:

the vulnerability concerns only new installations of affected versions: if you upgraded from an earlier version, for example version 2.9.1, to version 3.0.0 or later, your instance is not affected.
- A new installation is defined by an instance of Crowd that is the same version that you originally downloaded from the downloads page and has not been upgraded since
an IP address has been added to the Remote Address configuration of the crowd application (which is none by default in versions after 3.0.0)

Summarizing, all new installations running any of the following versions are impacted:

Crowd 3.0.0 – Crowd 3.7.2
Crowd 4.0.0 – Crowd 4.4.3
Crowd 5.0.0 – Crowd 5.0.2

Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.

The advisory provides instructions to check if an instance was compromised along with mitigation that can be applied if it is not possible to immediately upgrade Crowd.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Bitbucket Server)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.