Bitbucket Server and Data Center- Command Injection Vulnerability – CVE-2022-43781

Atlassian fixed a critical severity security vulnerability introduced in version 7.0.0 of Bitbucket Server and Data Center. The bug was a command injection vulnerability using Bitbucket Server and Data Center environment variables. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system.

The following versions are affected by this vulnerability:

• Bitbucket Data Center and Server 7.0 to 7.21
• Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties

Atlassian recommends that all users using the affected version of the BitBucket should upgrade to the listed fixed versions (or any later version).

• Bitbucket Data Center and Server 7.0 to 7.21
• Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties

Atlassian recommends that all users using the affected version of the BitBucket should upgrade to the listed fixed versions (or any later version).

Mitigation

To remediate this vulnerability, update each affected product installation to a fixed version listed above.

If you’re unable to upgrade your Bitbucket instance, a temporary mitigation step is to disable “Public Signup”. Disabling public signup would change the attack vector from an unauthenticated attack to an authenticated one which would reduce the risk of exploitation. To disable this setting, go to Administration > Authentication and clear the Allow public sign up checkbox.

ADMIN or SYS_ADMIN authenticated users still have the ability to exploit the vulnerability when public signup is disabled. For this reason, this mitigation should be treated as a temporary step and customers are recommended to upgrade to a fixed version as soon as possible.

Bitbucket Server and Data Center instances running PostgreSQL are not affected.