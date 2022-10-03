The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of malicious actors exploiting a critical security flaw affecting Atlassian’s Bitbucket Server and Data Centre.

According to a The Hacker News report, the vulnerability — tracked as CVE-2022-36804 — relates to a command injection flaw that could allow malicious actors to execute code remotely on affected installations.

Hackers can do so by sending a crafted HTTP request to susceptible installations.

However, to successfully exploit the vulnerability, malicious actors must already have access to a public repository or have obtained read permissions to a private Bitbucket one.

Atlassian noted that all Bitbucket Server and Data Centre versions released after 6.10.17, including 7.0.0 and newer, are impacted by the flaw.

“This means that all instances that are running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,” it added.

While CISA hasn’t provided details on the vulnerability’s exploitation in the wild, GreyNoise shows evidence of the flaw being used on 20 and 23 September and 1 and 2 October.

GreyNoise is a cybersecurity platform that collects and analyses Internet-wide scan and attack traffic.