Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company’s solution for Git repository management.
Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.
Misconfiguration in Crowd
Rated critical, the issue in Crowd Server and Data Center is tracked as CVE-2022-43782. A misconfiguration allows an attacker to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints.
The issue was introduced in version 3.0 of the product and does not affect upgrades from previous versions, like 2.9.1.
Atlassian explains that exploitation is possible under certain conditions. One is a changed Remote Address configuration to include an allowed IP address, a deviation from the default setting (none).
“This would allow the attacker to call privileged endpoints in Crowd’s REST API under the user management path,” Atlassian notes in a security advisory.
The issue impacts Crowd versions 3.0.0 to 3.7.2, 4.0.0 to 4.4.3, and 5.0.0 to 5.0.2. Crowd 5.0.3 and 4.4.4 are not affected.
Atlassian will not fix the flaw in version 3.0.0 of the product because it has reached the end of life and support.
The security advisory provides detailed instructions for administrators to check if an instance has been compromised and the steps to follow.
Bitbucket flaw details
The flaw affecting Bitbucket Server and Data Center was introduced in version 7.0 of the product and is identified as CVE-2022-43781. It is a command injection vulnerability that lets an attacker, with permission, control their username to gain code execution on the target system under certain conditions.
All 7.0 to 7.21 are affected regardless of their configuration, and versions 8.0 through 8.4 where the “mesh.enabled” function is disabled under “bitbucket.properties.”
CVE-2022-43781 does not affect instances running PostgreSQL and those hosted by Atlassian (accessed via a bitbucket.org domain).
The versions that fix the problem are:
- 7.6.19 or newer
- 7.17.12 or newer
- 7.21.6 or newer
- 8.0.5 or newer
- 8.1.5 or newer
- 8.2.4 or newer
- 8.3.3 or newer
- 8.4.2 or newer
- 8.5.0 or newer
Users unable to upgrade to the fixed versions should disable “Public Signup,” which would require the attacker to authenticate using valid credentials, which reduces the risk of exploitation.
The security advisory notes that ADMIN and SYS_ADMIN users can still exploit the flaw under this configuration, so it should be treated as a temporary mitigation measure.