First published: Thu Nov 17 2022(Updated: )
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Credit: security@atlassian.com security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Bitbucket | >=7.0.0<7.6.19 | |
Atlassian Bitbucket | >=7.7.0<7.17.12 | |
Atlassian Bitbucket | >=7.18.0<7.21.6 | |
Atlassian Bitbucket | >=7.22.0<8.0.5 | |
Atlassian Bitbucket | >=8.1.0<8.1.5 | |
Atlassian Bitbucket | >=8.2.0<8.2.4 | |
Atlassian Bitbucket | >=8.3.0<8.3.3 | |
Atlassian Bitbucket | >=8.4.0<8.4.2 | |
>=7.0.0<7.6.19 | ||
>=7.7.0<7.17.12 | ||
>=7.18.0<7.21.6 | ||
>=7.22.0<8.0.5 | ||
>=8.1.0<8.1.5 | ||
>=8.2.0<8.2.4 | ||
>=8.3.0<8.3.3 | ||
>=8.4.0<8.4.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-43781 is a command injection vulnerability in Bitbucket Server and Data Center that allows an attacker to execute arbitrary code on the system by controlling their username.
The severity of CVE-2022-43781 is critical with a CVSS score of 9.8.
Bitbucket versions 7.0.0 to 7.6.19, 7.7.0 to 7.17.12, 7.18.0 to 7.21.6, 7.22.0 to 8.0.5, 8.1.0 to 8.1.5, 8.2.0 to 8.2.4, 8.3.0 to 8.3.3, and 8.4.0 to 8.4.2 are affected by CVE-2022-43781.
An attacker with permission to control their username can exploit CVE-2022-43781 by injecting malicious commands through environment variables, enabling them to execute arbitrary code on the system.
CVE-2022-43781 can be exploited without authentication if the Bitbucket Server and Data Center are vulnerable.