CVE-2022-43781

Published: Nov 17, 2022

Modified: Oct 2, 2024

PUBLISHED

Description

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Vendor	Product	Versions
Atlassian	Bitbucket Data Center	unaffected `before 7.0` affected `before 7.17.12` affected `before 7.21.6` affected `before 7.6.19` affected `before 8.0.5` +5 more versions
Atlassian	Bitbucket Server	unaffected `before 7.0` affected `before 7.17.12` affected `before 7.21.6` affected `before 7.6.19` affected `before 8.0.5` +5 more versions

References

https://confluence.atlassian.com/x/Y4hXRg

https://jira.atlassian.com/browse/BSERV-13522

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-43781

Description

Affected Products

References