CVE-2022-43781Command Injection in Atlassian Bitbucket

CWE-77Command Injection3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
88.2%
top 0.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Atlassian BitbucketAtlassian Bitbucket Data CenterAtlassian Bitbucket Server
Timeline
PublishedNov 17
Latest updateJul 6

Description

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5atlassian/bitbucket_data_center9 versions+8
CVEListV5atlassian/bitbucket_server9 versions+8
NVDatlassian/bitbucket7.0.07.6.19+7

Patches

Patch: jira.atlassian.comPatch: jira.atlassian.com

🔴Vulnerability Details

2
GHSA
GHSA-3883-h64p-r3xm: There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center2023-07-06
CVEList
CVE-2022-43781: There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center2022-11-17
CVE-2022-43781 — Command Injection in Atlassian | cvebase