Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-13522

Critical severity command injection vulnerability - CVE-2022-43781

    XMLWordPrintable

Details

    • 9
    • Critical
    • CVE-2022-43781

    Description

      There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center version 7.0.

      Affected versions:

      • 7.0.0 ≤ version < 7.6.19
      • 7.7.0 ≤ version < 7.17.12
      • 7.18.0 ≤ version < 7.21.6
      • 7.22.0 ≤ version < 8.0.5
      • 8.1.0 ≤ version < 8.1.5
      • 8.2.0 ≤ version < 8.2.4
      • 8.3.0 ≤ version < 8.3.3
      • 8.4.0 ≤ version < 8.4.2

      Fixed versions:

      • 7.6.19 or newer
      • 7.17.12 or newer
      • 7.21.6 or newer
      • 8.0.5 or newer
      • 8.1.5 or newer
      • 8.2.4 or newer
      • 8.3.3 or newer
      • 8.4.2 or newer
      • 8.5.0 or newer

      For full descriptions of the above versions of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.

      For additional details, see the full advisory: https://confluence.atlassian.com/x/Y4hXRg 

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: