+44 (0)203 88 020 88

0
0
Subtotal: £0.00

No products in the basket.

No products in the basket.

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Critical Severity Vulnerabilities in Atlassian Products

Two critical severity vulnerabilities have been identified in Atlassian products Crowd, and Bitbucket Server and Data Center. Security advisories were released by Atlassian for each product detailing the severity, affected versions, and mitigation steps. The Atlassian Crowd Server and Data Center vulnerability affects all versions released after Crowd 3.0.0, however version 3.0.0 itself is an end of life product and is no longer supported, so that version has not received a patch. The Bitbucket Server and Bitbucket Data Center vulnerability affects versions 7.0 to 7.21, and versions 8.0 to 8.4 if specific conditions are met in bitbucket.properties, where mesh.enabled=false. 

Security misconfiguration vulnerability CVE-2022-43782 affects versions 3.0.0 and later of Atlassian Crowd only if an IP address is added to the remote access configuration, which is none by default. An attacker can connect from this IP that has been added to the allow list and be authenticated without the need for a password. The attacker can then use the usermanagement path to call privileged endpoints in the REST API. If access logs have been previously configured, users can check calls to the usermanagement path to check if their system has been compromised. However, access logs are not available by default. Crowd Data Center also has audit logs available that can check for compromise. This vulnerability can be mitigated by removing any remote IP addresses from the allow list, or by updating to a fixed version, which include Crowd 4.4.4 or later, and Crowd 5.0.3 and later. 

Command injection vulnerability CVE-2022-43781 found in Bitbucket Server and Data Center can be exploited by an attacker who has permission to control their username. An attack that utilises this flaw can result in arbitrary code being executed on the system. Disabling ‘Public Signup’ in Bitbucket can potentially mitigate this attack, as it introduces the need for the attacker to be authenticated in order to perform an exploit. This can be done through the ‘Administration’ settings, under ‘Authentication’, where the ‘Allow public sign up’ checkbox can be unselected. If an attacker is able to obtain Admin or Sys-Admin authentication, then they will still be able to exploit this vulnerability, so this mitigation step is not as secure as updating the system and applying the security patches. Fixed versions of Bitbucket Server and Data Center can be found listed on the security advisory, and updates can be downloaded from Atlassian’s website. The Atlassian hosted bitbucket.org repository is not affected by this vulnerability. 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

Scroll to Top