QID 730671

Date Published: 2022-11-21

QID 730671: Atlassian Bitbucket Server and Data Center Command Injection Vulnerability

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system (CVE-2022-43781).

Affected Versions:
Atlassian Bitbucket Server and Data Center version 7.0 to 7.5 (all versions)
Atlassian Bitbucket Server and Data Center version 7.6.0 to 7.6.18
Atlassian Bitbucket Server and Data Center version 7.7 to 7.16 (all versions)
Atlassian Bitbucket Server and Data Center version 7.17.0 to 7.17.11
Atlassian Bitbucket Server and Data Center version 7.18 to 7.20 (all versions)
Atlassian Bitbucket Server and Data Center version 7.21.0 to 7.21.5
Atlassian Bitbucket Server and Data Center version If mesh.enabled=false is set in bitbucket.properties:
Atlassian Bitbucket Server and Data Center version 8.0.0 to 8.0.4
Atlassian Bitbucket Server and Data Center version 8.1.0 to 8.1.4
Atlassian Bitbucket Server and Data Center version 8.2.0 to 8.2.3
Atlassian Bitbucket Server and Data Center version 8.3.0 to 8.3.2
Atlassian Bitbucket Server and Data Center version 8.4.0 to 8.4.1

Detection Logic:
QID checks for vulnerable versions of Atlassian Bitbucket Server by sending a GET request to /login endpoint.

Note: QID is kept potential as there are temporary mitigations and version 8.x are only vulnerable if mesh.enabled=false is set in bitbucket.properties.

Successful exploitation of the vulnerability may lead to remote code execution.

CVSS V3 rated as Critical - 9.8 severity.

CVSS V2 rated as Critical - 10 severity.

Solution

Vendor has released patch, for more information please refer to Atlassian Bitbucket Security Advisory

Workaround:
If you're unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable "Public Signup". Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.

ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.

Vendor References

Atlassian Bitbucket Security Advisory - confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html

CVEs related to QID 730671

CVE-2022-43781 |

Software Advisories

Advisory ID	Software	Component	Link
Atlassian Bitbucket Security Advisory			confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].