CVE-2022-43781
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Atlassian | Bitbucket Data Center | before 7.0 | unaffected |
| Atlassian | Bitbucket Data Center | before 7.17.12 | affected |
| Atlassian | Bitbucket Data Center | before 7.21.6 | affected |
| Atlassian | Bitbucket Data Center | before 7.6.19 | affected |
| Atlassian | Bitbucket Data Center | before 8.0.5 | affected |
| Atlassian | Bitbucket Data Center | before 8.1.5 | affected |
| Atlassian | Bitbucket Data Center | before 8.2.4 | affected |
| Atlassian | Bitbucket Data Center | before 8.3.3 | affected |
| Atlassian | Bitbucket Data Center | before 8.4.2 | affected |
| Atlassian | Bitbucket Data Center | before 8.5.0 | affected |
| Atlassian | Bitbucket Server | before 7.0 | unaffected |
| Atlassian | Bitbucket Server | before 7.17.12 | affected |
| Atlassian | Bitbucket Server | before 7.21.6 | affected |
| Atlassian | Bitbucket Server | before 7.6.19 | affected |
| Atlassian | Bitbucket Server | before 8.0.5 | affected |
| Atlassian | Bitbucket Server | before 8.1.5 | affected |
| Atlassian | Bitbucket Server | before 8.2.4 | affected |
| Atlassian | Bitbucket Server | before 8.3.3 | affected |
| Atlassian | Bitbucket Server | before 8.4.2 | affected |
| Atlassian | Bitbucket Server | before 8.5.0 | affected |
Weaknesses
- RCE (Remote Code Execution)
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.