Critical severity command injection vulnerability - CVE-2022-43781

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution on the system. This vulnerability was introduced in Bitbucket Server and Data Center version 7.0.

Affected versions:

• 7.0.0 ≤ version < 7.6.19
• 7.7.0 ≤ version < 7.17.12
• 7.18.0 ≤ version < 7.21.6
• 7.22.0 ≤ version < 8.0.5
• 8.1.0 ≤ version < 8.1.5
• 8.2.0 ≤ version < 8.2.4
• 8.3.0 ≤ version < 8.3.3
• 8.4.0 ≤ version < 8.4.2

Fixed versions:

• 7.6.19 or newer
• 7.17.12 or newer
• 7.21.6 or newer
• 8.0.5 or newer
• 8.1.5 or newer
• 8.2.4 or newer
• 8.3.3 or newer
• 8.4.2 or newer
• 8.5.0 or newer

For full descriptions of the above versions of Bitbucket Server and Data Center, see the [release notes|https://confluence.atlassian.com/bitbucketserver/release-notes-872139866.html]. You can download the latest version of Bitbucket from the [download center.|https://www.atlassian.com/software/bitbucket/download-archives] For Frequently Asked Questions (FAQ) [click here.|https://confluence.atlassian.com/x/5XmaRQ]

For additional details, see the full advisory: [https://confluence.atlassian.com/x/Y4hXRg]