CVE-2022-43781: critical Bitbucket Server and Data Center vulnerability

Atlassian has rolled out fixes to remediate a critical security vulnerability affecting its Bitbucket Server and Data Center product.

Tracked as CVE-2022-43781, the issue has been characterized as a command injection vulnerability using environment variables that could be exploited via specially crafted requests.

“There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system,” Atlassian said in an advisory.

The issue impacts all versions of the Bitbucket Server and Data Center from 7.0 to 7.21. Versions 8.0 to 8.4 of Bitbucket Server and Data Center are also affected by this vulnerability if mesh.enabled=false is set in bitbucket.properties.

The company said Bitbucket Server and Data Center instances running PostgreSQL are not affected by this issue.

It’s instead recommending that users either update to the latest version of the app or disable “Public Signup. Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.”

However, ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled.

“For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible,” the company cautioned in its advisory regarding CVE-2022-43781.