Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Remote Code Execution vulnerability in Bitbucket Data Center and Server, Update Immediately!
Image
Published : 22/09/2023
Reference:
Advisory #2023-113
Version:
1.0
Affected software:
Atlassian Bitbucket Data Center and Server versions 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2023-22513: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Sources
Confluence - https://confluence.atlassian.com/security/security-bulletin-september-19-2023-1283691616.html
Risks
CVE-2023-22513 is a high-severity vulnerability, with a CVSS score of 8.5. It allows an authenticated attacker to execute arbitrary code on the vulnerable systems. This could have severe consequences, with high impact to confidentiality, integrity and availability of the targeted systems. At the moment the vulnerability was not observed as being exploited by threat actors.
Description
The high severity of the vulnerability is due to the fact that an attacker, who has successfully authenticated with low privileges, could raise privileges and abuse the vulnerability, without needing user interaction. The attacker could then execute commands on the system affecting the combination of confidentiality, integrity, and availability.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to the most recent version provided by Atlassian.
If you are you are unable to do so, Atlassian recommends upgrading your instance to one of the specified supported fixed versions:
- Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.5
- Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.5
- Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.4
- Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.2
- Bitbucket Data Center and Server 8.13: Upgrade to a release greater than or equal to 8.13.1
- Bitbucket Data Center and Server 8.14: Upgrade to a release greater than or equal to 8.14.0
- Bitbucket Data Center and Server version >= 8.0 and < 8.9: Upgrade to any of the listed fix versions.
You can download the latest version of Bitbucket Data Center and Server from the download center: https://www.atlassian.com/software/bitbucket/download-archives.
- Versions before 8.0.0 (e.g., 7.x series) are unaffected by this vulnerability.
References
NIST - https://nvd.nist.gov/vuln/detail/CVE-2023-22513
Confluence - https://confluence.atlassian.com/security/security-bulletin-september-19-2023-1283691616.html
Atlassian - https://www.atlassian.com/software/bitbucket/download-archives
Information Security Newspaper - https://www.securitynewspaper.com/2023/09/20/hacking-atlassian-bitbucket-confluence-data-with-a-vulnerability/