CVE-2022-43781

Published Nov 17, 2022

Last updated a month ago

CVSS critical 9.8

Overview

Description: There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Source: security@atlassian.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-77
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-77

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "724D75B1-262B-4834-BDF9-359992FE358F",
            "versionEndExcluding": "7.6.19",
            "versionStartIncluding": "7.0.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7DDB30B8-27BB-4754-A801-CC6D7FBD112D",
            "versionEndExcluding": "7.17.12",
            "versionStartIncluding": "7.7.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C46D83C6-2375-4187-9A5F-1AD81A6520DA",
            "versionEndExcluding": "7.21.6",
            "versionStartIncluding": "7.18.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "18D68073-ED08-433F-9EB3-6BE4D58B08E6",
            "versionEndExcluding": "8.0.5",
            "versionStartIncluding": "7.22.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7C1B0213-8CA7-4179-90D3-FCFE8BBE33BA",
            "versionEndExcluding": "8.1.5",
            "versionStartIncluding": "8.1.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0D270F32-1BB2-46F8-8737-4CB39508EDD4",
            "versionEndExcluding": "8.2.4",
            "versionStartIncluding": "8.2.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF6224A3-4AD8-4DA7-8E68-A890B3915337",
            "versionEndExcluding": "8.3.3",
            "versionStartIncluding": "8.3.0"
          },
          {
            "criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "224634CB-9CA5-4292-B3F8-B3A86E4ADD70",
            "versionEndExcluding": "8.4.2",
            "versionStartIncluding": "8.4.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References