Atlassian Addresses Issues in Crowd and Bitbucket Products

Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Atlassian has two security holes that can be abused to allow arbitrary code execution. CVE-2022-43782 allows an intruder connecting from an IP address on the allow list to authenticate as the crowd application by evading the password validation. The attacker may then exploit the user-management path to access privileged endpoints in Crowd's REST API. The command injection vulnerability (CVE-2022-43781) in Bitbucket Server and Data Center is exploited by using environment variables in the software. An attacker with access to credentials can leverage this flaw to achieve code execution and execute code on the system.