Bitbucket Server, a package for deploying a Web interface for working with GIT references, revealed critical vulnerability (cve-2022-43781 ), which allows the remote attacking the execution of code on the server. Vulnerability can be operated by a towerful user if the server is allowed independent registration (the adjustment “Allow Public Signup” is enabled). Operation is also possible by an authenticated user who has the rights to change the user name (i.e. there is the powers of Admin or Sys_admin). Details have not yet been given, it is only known that the problem is caused by the possibility of substitution of commands through variables of the environment.
The problem is manifested in branches of 7.x and 8.x, and eliminated in the releases of Bitbucket Server and Bitbucket Data Center 8.5.0, 8.4.2, 7.17.12, 7.21.6, 8.0.5, 8.1.5, 8.3 .3, 8.2.4, 7.6.19. Vulnerability is not manifested in the cloud service of bitbucket.org, but affects only products for installation at its capacities. The problem is also not manifested on the Bitbucket Server and Data Center servers, in which the postgreSQL DBMS is used to store data