CVE-2022-43781 An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system.

The attacker can exploit this issue by creating an ssh key on the victim's Bitbucket Server and Data Center instance, and then creating a new user account with that key. If the “Enable public signup” option is enabled, the new user can be made a member of the “Administrators” group, allowing the attacker to access the user's environment variables. The attacker can then make a POST request to a vulnerable endpoint, and pass a command-line variable (e.g. -c “echo X > /path/to/file”) to the server via the env- variable. The server will then execute the command with the context of the “Administrators” user. This command can be any arbitrary code that the attacker desires. On the server side, the administrator can update the server's firewall to allow traffic from trusted IPs. The attacker can then configure an SSH key on the server, and create a new user which has administrator privileges. The attacker can now create a new post, and pass the command line variable described above to the server via the env- variable. The server will then execute the command with the context of the “Administrators” user. This command can be any arbitrary code that the attacker desires.

CVE-2023-43781

The attacker can create an ssh key on the victim's Bitbucket Server and Data Center instance, and then create a new user account with that key. If the “Enable public signup” option is enabled, the new user can be made a member of the “Administrators” group. The attacker can then make a POST request to a vulnerable endpoint, and pass a command-line variable (e.g. -c “echo X > /path/to/file”) to the server via the env- variable. The server will then execute the command with the context of the “Administrators” user. This command can be any arbitrary code that the attacker desires. On the server side, there are two methods to bypass this issue:
1) The administrator could update their firewall to block traffic from trusted IPs in order to prevent this attack from occurring.
2) The administrator could change their SSH keys on their Data Center instance (

Timeline

Published on: 11/17/2022 00:15:00 UTC
Last modified on: 11/18/2022 18:51:00 UTC

References

• https://confluence.atlassian.com/x/Y4hXRg
• https://jira.atlassian.com/browse/BSERV-13522
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43781