[BSERV-13522] Critical severity command injection vulnerability - CVE-2022-43781 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 7.6.19, 7.17.12, 7.21.6, 8.0.5, 8.1.5, 8.2.4, 8.3.3, 8.4.2, 8.5.0
Affects Version/s: 7.0.0
Component/s: None
Labels:

CVSS Score:
9
CVSS Severity:
Critical
CVE ID:
CVE-2022-43781
Affected Product(s):

Bitbucket Data Center, Bitbucket Server

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center version 7.0.

Affected versions:

7.0.0 ≤ version < 7.6.19
7.7.0 ≤ version < 7.17.12
7.18.0 ≤ version < 7.21.6
7.22.0 ≤ version < 8.0.5
8.1.0 ≤ version < 8.1.5
8.2.0 ≤ version < 8.2.4
8.3.0 ≤ version < 8.3.3
8.4.0 ≤ version < 8.4.2

Fixed versions:

7.6.19 or newer
7.17.12 or newer
7.21.6 or newer
8.0.5 or newer
8.1.5 or newer
8.2.4 or newer
8.3.3 or newer
8.4.2 or newer
8.5.0 or newer

For full descriptions of the above versions of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.

For additional details, see the full advisory: https://confluence.atlassian.com/x/Y4hXRg

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(45 mentioned in)

Form Name

Bryan M made changes - 14/Sep/2023 6:52 AM

Remote Link

Original: This issue links to "Page (Confluence)" [ 812151 ]

Bryan M made changes - 14/Sep/2023 6:51 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 813108 ]

Gary Pasquale made changes - 13/Sep/2023 8:43 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 812151 ]

Gary Pasquale made changes - 05/Sep/2023 2:09 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 807908 ]

Gary Pasquale made changes - 30/Aug/2023 9:03 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 805587 ]

Bryan M made changes - 22/Aug/2023 1:46 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 802493 ]

Jared Winter made changes - 16/Aug/2023 7:16 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 800614 ]

Jared Winter made changes - 09/Aug/2023 6:10 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 797778 ]

Jared Winter made changes - 02/Aug/2023 6:49 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 795196 ]

Jared Winter made changes - 26/Jul/2023 6:18 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 792991 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 12/Oct/2022 9:46 PM

Updated:: 14/Sep/2023 6:52 AM

Resolved:: 16/Nov/2022 5:59 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[BSERV-13522] Critical severity command injection vulnerability - CVE-2022-43781

People

Dates

Backbone Issue Sync