Link maker

CERT-In issues alerts for vulnerabilities in Google Chrome OS, TP-link router, and Atlassian Bitbucket Server and Data Center

Users are recommended to update their product and firmware to ensure the security of their systems

Users are recommended to update their product and firmware to ensure the security of their systems

CERT-In on Thursday released notes on high-severity vulnerabilities in Google Chrome OS and critical vulnerabilities in TP-Link Router and Bitbucket Server and Data Center. The reported vulnerabilities can be used by remote attackers to target affected systems and execute arbitrary code, compromising their security.

(Sign up for our technology newsletter, Today’s Cache, for insights into emerging themes at the intersection of technology, business and politics. Click here to subscribe for free.)

In Google Chrome OS

Several vulnerabilities in the Google Chrome OS LTS channel release have been reported due to post-release use in Blink, browser build, web UI, managed device API, and Chrome OS shell.

Vulnerabilities also exist in login flow, extensions and extensions API, insufficient policy enforcement in cookies, improper implementation in extensions API, buffer overflow in PDF and data leak. side channel information in keyboard input.

The vulnerabilities affect most Chrome OS devices, according to Google’s security releases. They can be exploited by remote attackers by sending specially crafted requests to targeted systems.

Successful exploitation may allow attackers to execute arbitrary code or cause a denial of service on affected systems.

Google has released security updates to address the vulnerabilities and their implementation is suggested to secure vulnerable systems.

In TP-Link router firmware

A critical vulnerability has been reported in firmware running on routers from TP-Link Technologies Co. Ltd., a manufacturer of computer networking products.

The vulnerability exists due to improper bonus checking by the HTTPD daemon software that runs in the background of a web server to receive server requests and process hypertext and multimedia documents over the Internet.

The vulnerability can be exploited by authenticated remote attackers, by sending specially crafted requests. Successful exploitation could lead attackers to overflow a buffer and execute arbitrary code on targeted systems.

The vulnerability has been classified as critical because it can allow a remote attacker to execute code and gain access to the affected system.

Updating to the latest firmware version is suggested to fix the vulnerability.

In Bitbucket Server and Data Center

A critical vulnerability has been reported in all versions of Atlassian Bitbucket Server and Data Center between 7.0.0 and 8.3.0.

The vulnerability exists due to multiple API endpoints and can be exploited by sending a specially crafted HTTP request to execute arbitrary commands on affected systems.

The command injection vulnerability could be exploited by remotely authenticated attackers to target the Git-based repository management solution.

Atlassian on its website said the vulnerability can be exploited by an attacker “with access to a public repository or with read permissions to a private Bitbucket repository.” The company also said cloud sites hosted by Atlassian are not affected by the vulnerability.

Updating each affected product installation to a fixed version available on the Atlassian site is suggested to fix the vulnerability.