The Cybersecurity and Infrastructure Security Agency (CISA) has added 3 vulnerabilities to its Known Exploited Vulnerabilities Catalog, to include Microsoft Exchange and Atlassian flaws.
An attacker could exploit these vulnerabilities to take control of impacted systems.
Exchange Server exploits
CISA added two Microsoft Exchange zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) under limited targeted attacks in the wild to its Known Exploited Vulnerabilities Catalog.
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft wrote in a blog post.
Microsoft is aware of exploits against the zero-days affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
Microsoft released workarounds for the flaws until permanent fixes are published.
Moreover, CISA added a Critical severity Atlassian command injection vulnerability CVE-2022-36804 (CVSS 9.9) to its Exploited Vulnerabilities Catalog.
“There is a command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center. An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian noted in the advisory.
All versions released after 6.10.17 including 7.0.0 and newer are affected.