The Hacker News reports that Atlassian has issued fixes for critical security vulnerabilities in its Bitbucket Server, Crowd, and Data Center offerings.
Atlassian BitBucket Server and Data Center versions 7.0 to 7.21 and 8.0 to 8.4 with false mesh.enabled are impacted by CVE-2022-43781, a command injection flaw that could help facilitate code execution.
Disabling the "Public Signup" option could curb exploitation of the flaw as a temporary workaround, according to Atlassian.
"ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled," Atlassian noted.
Meanwhile, Crowd Server and Data Center products are affected by the second bug, CVE-2022-43782, which involves a misconfiguration that could enable invoking of privileged API endpoints as long as attackers are connected from an IP address included in Remote Access configuration. Immediate patching of the aforementioned flaws has been recommended as exploitation of Atlassian and Bitbucket flaws have been prevalent.
This week in the Security News: When you just wanna hurl, malicious containers, FCC bans stuff, these are not the CVE's you're looking for, Linux password mining, mind the gap, hacking smart watches, & more!
CRN reports that popular desktop-sharing and virtual meeting software provider GoTo and password manager affiliate LastPass had their shared third-party cloud storage service compromised by still undetermined attackers.