Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-43781

Summary
Assigner-atlassian
Assigner Org ID-f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At-17 Nov, 2022 | 00:00
Updated At-02 Oct, 2024 | 15:35
Rejected At-
Credits

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:atlassian
Assigner Org ID:f08a6ab8-ed46-4c22-8884-d911ccfe3c66
Published At:17 Nov, 2022 | 00:00
Updated At:01 Jan, 1000 | 00:00
Rejected At:
▼CVE Numbering Authority (CNA)

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Affected Products
Vendor
AtlassianAtlassian
Product
Bitbucket Data Center
Versions
Affected
  • before 7.17.12
  • before 7.21.6
  • before 7.6.19
  • before 8.0.5
  • before 8.1.5
  • before 8.2.4
  • before 8.3.3
  • before 8.4.2
  • before 8.5.0
Unaffected
  • before 7.0
Vendor
AtlassianAtlassian
Product
Bitbucket Server
Versions
Affected
  • before 7.17.12
  • before 7.21.6
  • before 7.6.19
  • before 8.0.5
  • before 8.1.5
  • before 8.2.4
  • before 8.3.3
  • before 8.4.2
  • before 8.5.0
Unaffected
  • before 7.0
Problem Types
TypeCWE IDDescription
RCE (Remote Code Execution)N/ARCE (Remote Code Execution)
Type: RCE (Remote Code Execution)
CWE ID: N/A
Description: RCE (Remote Code Execution)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
https://github.com/Ry0taK
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://confluence.atlassian.com/x/Y4hXRg
N/A
https://jira.atlassian.com/browse/BSERV-13522
N/A
Hyperlink: https://confluence.atlassian.com/x/Y4hXRg
Resource: N/A
Hyperlink: https://jira.atlassian.com/browse/BSERV-13522
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@atlassian.com
Published At:17 Nov, 2022 | 00:15
Updated At:02 Oct, 2024 | 15:35

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Atlassian
atlassian
>>bitbucket>>Versions from 7.0.0(inclusive) to 7.6.19(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 7.7.0(inclusive) to 7.17.12(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 7.18.0(inclusive) to 7.21.6(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 7.22.0(inclusive) to 8.0.5(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 8.1.0(inclusive) to 8.1.5(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 8.2.0(inclusive) to 8.2.4(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 8.3.0(inclusive) to 8.3.3(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Atlassian
atlassian
>>bitbucket>>Versions from 8.4.0(inclusive) to 8.4.2(exclusive)
cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-77Primarynvd@nist.gov
CWE-77Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-77
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-77
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://confluence.atlassian.com/x/Y4hXRgsecurity@atlassian.com
Mitigation
Release Notes
Vendor Advisory
https://jira.atlassian.com/browse/BSERV-13522security@atlassian.com
Issue Tracking
Patch
Vendor Advisory
Hyperlink: https://confluence.atlassian.com/x/Y4hXRg
Source: security@atlassian.com
Resource:
Mitigation
Release Notes
Vendor Advisory
Hyperlink: https://jira.atlassian.com/browse/BSERV-13522
Source: security@atlassian.com
Resource:
Issue Tracking
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

799Records found
Details not found