CVE-2022-43781

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Published: Nov 17, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-43781
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
atlassian / bitbucket	8.4.0	8.4.2
atlassian / bitbucket	7.0.0	7.6.19
atlassian / bitbucket	7.7.0	7.17.12
atlassian / bitbucket	7.18.0	7.21.6
atlassian / bitbucket	8.1.0	8.1.5
atlassian / bitbucket	8.2.0	8.2.4
atlassian / bitbucket	8.3.0	8.3.3
atlassian / bitbucket	7.22.0	8.0.5

https://confluence.atlassian.com/x/Y4hXRg
https://jira.atlassian.com/browse/BSERV-13522

Vulnerability Database

289,697

CVE-2022-43781