Two critical severity vulnerabilities have been identified in Atlassian products Crowd, and Bitbucket Server and Data Center. Security advisories were released by Atlassian for each product detailing the severity, affected versions, and mitigation steps. The Atlassian Crowd Server and Data Center vulnerability affects all versions released after Crowd 3.0.0, however version 3.0.0 itself is an end of life product and is no longer supported, so that version has not received a patch. The Bitbucket Server and Bitbucket Data Center vulnerability affects versions 7.0 to 7.21, and versions 8.0 to 8.4 if specific conditions are met in bitbucket.properties, where mesh.enabled=false. 

Security misconfiguration vulnerability CVE-2022-43782 affects versions 3.0.0 and later of Atlassian Crowd only if an IP address is added to the remote access configuration, which is none by default. An attacker can connect from this IP that has been added to the allow list and be authenticated without the need for a password. The attacker can then use the usermanagement path to call privileged endpoints in the REST API. If access logs have been previously configured, users can check calls to the usermanagement path to check if their system has been compromised. However, access logs are not available by default. Crowd Data Center also has audit logs available that can check for compromise. This vulnerability can be mitigated by removing any remote IP addresses from the allow list, or by updating to a fixed version, which include Crowd 4.4.4 or later, and Crowd 5.0.3 and later. 

Command injection vulnerability CVE-2022-43781 found in Bitbucket Server and Data Center can be exploited by an attacker who has permission to control their username. An attack that utilises this flaw can result in arbitrary code being executed on the system. Disabling ‘Public Signup’ in Bitbucket can potentially mitigate this attack, as it introduces the need for the attacker to be authenticated in order to perform an exploit. This can be done through the ‘Administration’ settings, under ‘Authentication’, where the ‘Allow public sign up’ checkbox can be unselected. If an attacker is able to obtain Admin or Sys-Admin authentication, then they will still be able to exploit this vulnerability, so this mitigation step is not as secure as updating the system and applying the security patches. Fixed versions of Bitbucket Server and Data Center can be found listed on the security advisory, and updates can be downloaded from Atlassian’s website. The Atlassian hosted bitbucket.org repository is not affected by this vulnerability.