Atlassian’s security response team has issued an urgent advisory to warn of a critical command injection flaw in its Bitbucket Server and Data Center product.

The vulnerability carries a CVSS severity score of 9.9 out of 10 and can be exploited remotely to launch code execution attacks, Atlassian said.

Atlassian said the security defect,  tracked as CVE-2022-36804, was introduced in version 7.0.0 of Bitbucket Server and Data Center.

From the alert:

The company said Atlassian Cloud sites are not affected by this issue.  

The disclosure of a new critical-severity issue from Atlassian follows the documentation of in-the-wild attacks hitting the Australian company’s widely deployed Confluence software product.

This year alone, the U.S. government’s cybersecurity response agency CISA has listed four distinct Atlassian software flaws in its KEV (Known Exploited Vulnerabilities) catalog

By Ryan Naraine on Fri, 26 Aug 2022 19:26:32 +0000
Original link