There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
References
Link | Resource |
---|---|
https://confluence.atlassian.com/x/Y4hXRg | Mitigation Release Notes Vendor Advisory |
https://jira.atlassian.com/browse/BSERV-13522 | Issue Tracking Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: atlassian
Published: 2022-11-17T00:00:01.210Z
Updated:
Reserved: 2022-10-26T14:49:11.114Z
Link: CVE-2022-43781
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-17T00:15:18.483
Modified: 2022-11-18T18:51:28.923
Link: CVE-2022-43781
JSON object: View
Redhat Information
No data.
CWE