The Hacker News reports that Atlassian has issued fixes for critical security vulnerabilities in its Bitbucket Server, Crowd, and Data Center offerings.
Atlassian BitBucket Server and Data Center versions 7.0 to 7.21 and 8.0 to 8.4 with false mesh.enabled are impacted by CVE-2022-43781, a command injection flaw that could help facilitate code execution.
Disabling the "Public Signup" option could curb exploitation of the flaw as a temporary workaround, according to Atlassian.
"ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled," Atlassian noted.
Meanwhile, Crowd Server and Data Center products are affected by the second bug, CVE-2022-43782, which involves a misconfiguration that could enable invoking of privileged API endpoints as long as attackers are connected from an IP address included in Remote Access configuration. Immediate patching of the aforementioned flaws has been recommended as exploitation of Atlassian and Bitbucket flaws have been prevalent.
SiliconAngle reports that more companies have been conducting purple team cybersecurity threat evaluations, with security penetration testing firm SpecterOps being the latest to create a collaboration between its offensive and defensive cybersecurity teams in testing and defending corporate systems.