Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2022-43781

Disclosure Date: November 17, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Upon creation of a new user or when an existing user changes their user name, some local environment variables are updated to reflect those changes. The functionality involved in making these changes uses the \u0000 character as a delimiter, allowing for injection of environment variables into the user name if input such as username\u0000ENV_VAR=VALUE is used. The GIT_EXTERNAL_DIFF environment variable will execute the script that it’s assigned to when git diff is called, which can occur by viewing a diff in a repository hosted with Bitbucket.

An attacker must be able to modify or set a user name in order to inject an environment variable and payload into it. Bitbucket appears to only allow users in the admin and sys admin groups this particular permission. In some cases, this vulnerability can be exploited without authentication through the allow public signup feature in Bitbucket, a non-default feature which permits account creation for anyone that has public access to the server. While this means an attacker has control over the user name and can consequently inject a payload into it, they cannot change the user name. This doesn’t bode well for attackers who want to evade detection.

Exploit attempts can be detected in various ways. Length restrictions on the user name make it difficult to drop anything other than a simple shell on the target, leading to multiple name change requests in the logs. Additionally, the user name, including the GIT_EXTERNAL_DIFF= string will appear in the logs and will remain on the site if exploited through the public signup option. Lastly, the GIT_EXTERNAL_DIFF environment variable will remain set if exploitation fails.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • atlassian

Products

  • bitbucket

Additional Info

Technical Analysis