9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary Atlassian has two security holes that can be abused to allow arbitrary code execution. CVE-2022-43782 allows an intruder connecting from an IP address on the allow list to authenticate as the crowd application by evading the password validation. The attacker may then exploit the user-management path to access privileged endpoints in Crowd's REST API. The command injection vulnerability (CVE-2022-43781) in Bitbucket Server and Data Center is exploited by using environment variables in the software. An attacker with access to credentials can leverage this flaw to achieve code execution and execute code on the system.