Critical hole in Atlassian Bitbucket needs patching now • The Register

A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories.

Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software, inclusive. Luckily there are no known exploits in the wild. 

But considering the vulnerability, tracked as CVE-2022-36804, received a 9.9 out of 10 CVSS score in terms of severity, we’d suggest you stop what you’re doing and update as soon as possible as it’s safe to assume miscreants are already scanning for vulnerable instances. 

As Atlassian explains in its security advisory, published mid-last week: “An attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.”

Additionally, the Center for Internet Security has labeled the flaw a “high” security risk for all sizes of business and government entities. These outfits typically use Bitbucket for managing source code in Git repositories.

Atlassian recommends organizations upgrade their instances to a fixed version, and those with configured Bitbucket Mesh nodes will need to update those, too. There’s a compatibility matrix to help users find the Mesh version that’s compatible with the Bitbucket Data Center version.

And if you need to postpone a Bitbucket update, Atlassian advises turning off public repositories globally as a temporary mitigation. This will change the attack vector from an unauthorized to an authorized attack. However, “this can not be considered a complete mitigation as an attacker with a user account could still succeed,” according to the advisory.

Security researcher @TheGrandPew discovered and reported the…