CVE-2022-43781

Summary

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Affected Software

VendorProductVersion RangeStatus
AtlassianBitbucket Data Centerbefore 7.0unaffected
AtlassianBitbucket Data Centerbefore 7.17.12affected
AtlassianBitbucket Data Centerbefore 7.21.6affected
AtlassianBitbucket Data Centerbefore 7.6.19affected
AtlassianBitbucket Data Centerbefore 8.0.5affected
AtlassianBitbucket Data Centerbefore 8.1.5affected
AtlassianBitbucket Data Centerbefore 8.2.4affected
AtlassianBitbucket Data Centerbefore 8.3.3affected
AtlassianBitbucket Data Centerbefore 8.4.2affected
AtlassianBitbucket Data Centerbefore 8.5.0affected
AtlassianBitbucket Serverbefore 7.0unaffected
AtlassianBitbucket Serverbefore 7.17.12affected
AtlassianBitbucket Serverbefore 7.21.6affected
AtlassianBitbucket Serverbefore 7.6.19affected
AtlassianBitbucket Serverbefore 8.0.5affected
AtlassianBitbucket Serverbefore 8.1.5affected
AtlassianBitbucket Serverbefore 8.2.4affected
AtlassianBitbucket Serverbefore 8.3.3affected
AtlassianBitbucket Serverbefore 8.4.2affected
AtlassianBitbucket Serverbefore 8.5.0affected

Weaknesses

  • RCE (Remote Code Execution)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References