Bitbucket Server and Data Center users are being alerted by Atlassian about a major security vulnerability that may allow attackers to run arbitrary code on weak systems.
The most updated vulnerability that involves command injection affects several software product API endpoints and is identified as CVE-2022-36804. Given that it has a CVSS severity score of 9.9 out of a possible 10.0, it can be concluded that the vulnerability is critical and needs to be fixed immediately.
According to an advisory from Atlassian, “A hacker with access to a public Bitbucket repository or with r permissions to a private one can execute arbitrary code by sending a malicious HTTP request.”
Bitbucket is a Git-based code hosting service connected with Jira and a part of the business’ DevOps solution. Bitbucket offers both free and paid options and supports an infinite number of private repositories.
All Bitbucket versions issued after 6.10.17 are impacted, thus “all instances that are operating any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,” according to Atlassian, which also alleges that the flaw was introduced in version 7.0.0 of Bitbucket.
Atlassian advises disabling public repositories using ‘feature.public.access=false’ as a temporary solution in situations where the patches cannot be applied immediately to stop unauthorized use
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: