Headline
CVE-2022-43781: Bitbucket Server and Data Center Security Advisory 2022-11-16 | Bitbucket Data Center and Server 8.6
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.
Bitbucket Server and Data Center- Command Injection Vulnerability - CVE-2022-43781
Summary
CVE-2022-43781 - Command Injection Vulnerability
Advisory Release Date
16 Nov 2022 10 AM PDT (Pacific Time, -7 hours)
Product
Bitbucket Server
Bitbucket Data Center
CVE ID(s)
CVE-2022-43781
****Summary of Vulnerability****
This advisory discloses a critical severity security vulnerability introduced in version 7.0.0 of Bitbucket Server and Data Center. The following versions are affected by this vulnerability:
Bitbucket Data Center and Server 7.0 to 7.21
Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties
There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.
This issue can be tracked here: BSERV-13522 - Getting issue details… STATUS
Atlassian Cloud sites are not affected.
If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.
****Severity****
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT environment.
****Affected Versions****
All versions of Bitbucket Server and Data Center from 7.0 to 7.21 are affected by this vulnerability. Versions 8.0 to 8.4 of Bitbucket Server and Data Center are also affected by this vulnerability if mesh.enabled=false is set in bitbucket.properties.
Product
Affected Versions
Bitbucket Server and Data Center
7.0 to 7.5 (all versions)
7.6.0 to 7.6.18
7.7 to 7.16 (all versions)
7.17.0 to 7.17.11
7.18 to 7.20 (all versions)
7.21.0 to 7.21.5
If mesh.enabled=false is set in bitbucket.properties:
8.0.0 to 8.0.4
8.1.0 to 8.1.4
8.2.0 to 8.2.3
8.3.0 to 8.3.2
8.4.0 to 8.4.1
****Fixed Versions****
Product
Fixed Versions
Bitbucket Server and Data Center
7.6.19 or newer
7.17.12 or newer
7.21.6 or newer
8.0.5 or newer
8.1.5 or newer
8.2.4 or newer
8.3.3 or newer
8.4.2 or newer
8.5.0 or newer
****What You Need to Do****
Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the “Fixed Versions” section of this page for details). For a full description of the latest version of Bitbucket Server and Data Center, see the release notes. You can download the latest version of Bitbucket from the download center. For Frequently Asked Questions (FAQ) click here.
****Mitigation****
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you’re unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable “Public Signup”. Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.
ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.
Bitbucket Server and Data Center instances running PostgreSQL are not affected.
****Acknowledgements****
Information that led to the discovery of this vulnerability was provided by @Ry0taK.
****Support****
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
****References****
Security Bug fix Policy
As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Severity Levels for security issues
Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy
Our end of life policy varies for different products. Please refer to our EOL Policy for details.
Related news
For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GIT_EXTERNAL_DIFF environment variable, a null character as a delimiter, and arbitrary code into a user's user name. The value (payload) of the GIT_EXTERNAL_DIFF environment variable will be run once the Bitbucket application is coerced into generating a diff. This Metasploit module requires at least admin credentials, as admins and above only have the option to change their user name.
Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. "An
Australian software company Atlassian has rolled out security updates to address two critical flaws affecting Bitbucket Server, Data Center, and Crowd products. The issues, tracked as CVE-2022-43781 and CVE-2022-43782, are both rated 9 out of 10 on the CVSS vulnerability scoring system. CVE-2022-43781, which Atlassian said was introduced in version 7.0.0 of Bitbucket Server and Data Center,