CVE-2022-43781

2022-11-1700:00:01

atlassian

www.cve.org

cve-2022-43781

environment variables

bitbucket server

data center

command injection

arbitrary code execution

unauthenticated

public signup

EPSS

0.522

Percentile

97.6%

JSON

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CNA Affected

[
  {
    "vendor": "Atlassian",
    "product": "Bitbucket Data Center",
    "versions": [
      {
        "version": "before 7.0",
        "status": "unaffected"
      },
      {
        "version": "before 7.17.12",
        "status": "affected"
      },
      {
        "version": "before 7.21.6",
        "status": "affected"
      },
      {
        "version": "before 7.6.19",
        "status": "affected"
      },
      {
        "version": "before 8.0.5",
        "status": "affected"
      },
      {
        "version": "before 8.1.5",
        "status": "affected"
      },
      {
        "version": "before 8.2.4",
        "status": "affected"
      },
      {
        "version": "before 8.3.3",
        "status": "affected"
      },
      {
        "version": "before 8.4.2",
        "status": "affected"
      },
      {
        "version": "before 8.5.0",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Atlassian",
    "product": "Bitbucket Server",
    "versions": [
      {
        "version": "before 7.0",
        "status": "unaffected"
      },
      {
        "version": "before 7.17.12",
        "status": "affected"
      },
      {
        "version": "before 7.21.6",
        "status": "affected"
      },
      {
        "version": "before 7.6.19",
        "status": "affected"
      },
      {
        "version": "before 8.0.5",
        "status": "affected"
      },
      {
        "version": "before 8.1.5",
        "status": "affected"
      },
      {
        "version": "before 8.2.4",
        "status": "affected"
      },
      {
        "version": "before 8.3.3",
        "status": "affected"
      },
      {
        "version": "before 8.4.2",
        "status": "affected"
      },
      {
        "version": "before 8.5.0",
        "status": "affected"
      }
    ]
  }
]