
Atlassian has patched critical vulnerabilities in its Crowd and Bitbucket products.
In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8.
Updates that patch the flaw have been released for both BitBucket 7 and 8. Atlassian Cloud sites are not affected.
In the Crowd, an application security framework that handles authentication and authorization for web-based applications, Atlassian fixed CVE-2022-43782, a critical security misconfiguration issue affecting all versions starting with 3.0.0.
Summarizing, all new installations running any of the following versions are impacted:
- Crowd 3.0.0 – Crowd 3.7.2
- Crowd 4.0.0 – Crowd 4.4.3
- Crowd 5.0.0 – Crowd 5.0.2
Atlassian will not patch the vulnerability in version 3.0.0 of the product because it reached the end of life.
This flaw has been rated critical, it can only be exploited by IPs in the Crowd application’s allowlist in the Remote Addresses configuration. It only impacts new installations users who have updated their installation from a version prior to 3.0.0 are not affected.
There does not appear to be any evidence of malicious exploitation.