{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-081.pdf"
    },
    "title": "Critical Vulnerabilities in Atlassian Products",
    "serial_number": "2022-081",
    "publish_date": "18-11-2022 15:30:00",
    "description": "On November 16, 2022, Atlassian released two advisories for critical vulnerabilities in the Crowd Server and Data Center identity management platform, and in Bitbucket Server and Data Center. Tracked as \"CVE-2022-43782\", the first vulnerability allows an attacker to authenticate as the Crowd application and subsequently call privileged endpoints on the Crowd platform. The second vulnerability, tracked as \"CVE-2022-43781\", is a command injection vulnerability in BitBucket that lets an attacker with permission to control their username to exploit this issue and execute arbitrary code on the system.",
    "url_title": "2022-081",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Atlassian\u00a0Products'\nversion: '1.0'\nnumber: '2022-081'\noriginal_date: 'November 16, 2022'\ndate: 'November 18, 2022'\n---\n\n_History:_\n\n* _18/11/2022 --- v1.0 -- Initial publication_\n  \n# Summary\n\nOn November 16, 2022, Atlassian released two advisories for critical vulnerabilities in the Crowd Server and Data Center identity management platform, and in Bitbucket Server and Data Center. Tracked as `CVE-2022-43782`, the first vulnerability allows an attacker to authenticate as the Crowd application and subsequently call privileged endpoints on the Crowd platform [1]. The second vulnerability, tracked as `CVE-2022-43781`, is a command injection vulnerability in BitBucket that lets an attacker with permission to control their username to exploit this issue and execute arbitrary code on the system [2].\n\n# Technical Details\n\nIntroduced in Crowd 3.0.0, `CVE-2022-43782` allows an attacker connecting from an IP in the allow list to authenticate as the Crowd application and bypassing a password check. Two conditions need to be met for the vulnerability to be exploited:   \n\n - the instance needs to be new installation of version > 3.0.0. Instances being upgrades from earlier versions to the vulnerable version are not affected,\n - the IP address has been added to the allow list `Remote Address` of the Crowd application (none by default) \n\n`CVE-2022-43781` might be exploited by unauthenticated users if `Public Signup` is enabled.  It does not affect instances running PostgreSQL and those hosted by Atlassian.  \n\n\n# Affected Products\n\nThe following products are affected [1][2]. \n\n- Crowd Server and Data Center for `CVE-2022-43782`: \n    - Crowd 3.0.0 to Crowd 3.7.2\n    - Crowd 4.0.0 to Crowd 4.4.3\n    - Crowd 5.0.0 to Crowd 5.0.2\n\n- Bitbucket Server and Data Center for `CVE-2022-43781`:\n    - 7.0 to 7.5 (all versions)\n    - 7.6.0 to 7.6.18\n    - 7.7 to 7.16 (all versions)\n    - 7.17.0 to 7.17.11\n    - 7.18 to 7.20 (all versions)\n    - 7.21.0 to 7.21.5  \n\n    If `mesh.enabled=false` is set in `bitbucket.properties`:\n    - 8.0.0 to 8.0.4\n    - 8.1.0 to 8.1.4\n    - 8.2.0 to 8.2.3\n    - 8.3.0 to 8.3.2\n    - 8.4.0 to 8.4.1\n\n\n# Recommendations\n\nCERT-EU highly recommends to install the latest fixes of the vendor as specified in the security advisories. \n\n# References\n\n[1] <https://confluence.atlassian.com/crowd/crowd-security-advisory-november-2022-1168866129.html>  \n\n[2] <https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html>\n\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>18/11/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On November 16, 2022, Atlassian released two advisories for critical vulnerabilities in the Crowd Server and Data Center identity management platform, and in Bitbucket Server and Data Center. Tracked as <code>CVE-2022-43782</code>, the first vulnerability allows an attacker to authenticate as the Crowd application and subsequently call privileged endpoints on the Crowd platform [1]. The second vulnerability, tracked as <code>CVE-2022-43781</code>, is a command injection vulnerability in BitBucket that lets an attacker with permission to control their username to exploit this issue and execute arbitrary code on the system [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>Introduced in Crowd 3.0.0, <code>CVE-2022-43782</code> allows an attacker connecting from an IP in the allow list to authenticate as the Crowd application and bypassing a password check. Two conditions need to be met for the vulnerability to be exploited: </p><ul><li>the instance needs to be new installation of version &gt; 3.0.0. Instances being upgrades from earlier versions to the vulnerable version are not affected,</li><li>the IP address has been added to the allow list <code>Remote Address</code> of the Crowd application (none by default) </li></ul><p><code>CVE-2022-43781</code> might be exploited by unauthenticated users if <code>Public Signup</code> is enabled. It does not affect instances running PostgreSQL and those hosted by Atlassian. </p><h2 id=\"affected-products\">Affected Products</h2><p>The following products are affected [1][2]. </p><ul><li><p>Crowd Server and Data Center for <code>CVE-2022-43782</code>: </p><ul><li>Crowd 3.0.0 to Crowd 3.7.2</li><li>Crowd 4.0.0 to Crowd 4.4.3</li><li>Crowd 5.0.0 to Crowd 5.0.2</li></ul></li><li><p>Bitbucket Server and Data Center for <code>CVE-2022-43781</code>:</p><ul><li>7.0 to 7.5 (all versions)</li><li>7.6.0 to 7.6.18</li><li>7.7 to 7.16 (all versions)</li><li>7.17.0 to 7.17.11</li><li>7.18 to 7.20 (all versions)</li><li>7.21.0 to 7.21.5 </li></ul><p>If <code>mesh.enabled=false</code> is set in <code>bitbucket.properties</code>:</p><ul><li>8.0.0 to 8.0.4</li><li>8.1.0 to 8.1.4</li><li>8.2.0 to 8.2.3</li><li>8.3.0 to 8.3.2</li><li>8.4.0 to 8.4.1</li></ul></li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU highly recommends to install the latest fixes of the vendor as specified in the security advisories. </p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/crowd/crowd-security-advisory-november-2022-1168866129.html\">https://confluence.atlassian.com/crowd/crowd-security-advisory-november-2022-1168866129.html</a> </p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html\">https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}