After Confluence, it's the turn of Atlassian's Bitbucket to be affected by a critical vulnerability. The publisher has corrected the breach, which a priori has not been exploited.
In August 2021, Atlassian urgently repaired a critical flaw in Confluence . This was quickly exploited by hackers . Last July, it was another serious bug still in Confluence which was used by cybercriminals.
This is a priori not the case for another critical vulnerability discovered in Bitbucket from the publisher, which is a development manager se serving from the Git repository.
In this case, the flaw is caused by an injection into the APIs of the Server and Datacenter versions of Bitbucket. It gives attackers the ability to remotely execute malware and view, modify or even delete data stored in repositories.
In detail, Atlassian explained in a security advisory, "an attacker with access to a public repository or with read rights to a private Bitbucket repository can execute arbitrary code by sending a malicious http request". The flaw was discovered by security researcher @TheGrandPew through Atlassian's Bug Bounty program.
|Atlassian's Bitbucket is the victim of a critical flaw that needs to be fixed. (Photo credit: Bitbucket)|
Quick update before massive exploitation
The firm has announced that it has corrected the security flaws that are present in versions 7.0.0 to 8.3.0 of the software. And the editor advises to update Bitbucket very quickly if you are concerned. Indeed the vulnerability, known as CVE-2022-36804, received a CVSS score of 9.9 out of 10 in terms of severity.
And even though no exploitation of the flaw has been discovered, there is no doubt that cybercriminals are already scanning the vulnerable instances.
The editor also recommends to use the Bitbucket Mesh node configurations. There is a compatibility matrix to help users find the Mesh version that is compatible with the Bitbucket Data Center version.
If immediate refresh is not possible, Atlassian recommends disabling global public repositories as a temporary mitigation. But "this cannot be considered a full mitigation measure, as an attacker with a user account could still be successful."