On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing indications of ongoing exploitation, added a previously disclosed significant vulnerability affecting Atlassian’s Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) database.
The problem, which has been assigned the tracking number CVE-2022-36804, pertains to a command injection flaw that could allow malicious actors to execute arbitrary code on vulnerable installations by sending a specially crafted HTTP request.
However, for an exploit to be successful, the attacker must already have access to a public repository or have read permissions to a private Bitbucket repository.
According to a late August 2022 advisory from Atlassian, “all versions of Bitbucket Server and Datacenter issued after 6.10.17 including 7.0.0 and newer are impacted, meaning that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability.”
The extent of the exploitation efforts and how the flaw is being used were not disclosed by CISA, but GreyNoise claimed to have found evidence of abuse on September 20 and 23.
By October 21, 2022, all Federal Civilian Executive Branch (FCEB) agencies must take actions to address the vulnerabilities in order to shield networks from current threats.