A critical vulnerability (CVE-2022-43781) has been identified in Bitbucket Server, a package for deploying a web interface for working with git repositories, which allows a remote attacker to achieve code execution on the server. The vulnerability can be exploited by an unauthenticated user if self-registration is allowed on the server (the "Allow public signup" setting is enabled). Operation is also possible by an authenticated user who has rights to change the username (ie ADMIN or SYS_ADMIN authority). Details are not given yet, it is only known that the problem is caused by the possibility of substituting commands through environment variables.
The issue appears in the 7.x and 8.x branches, and has been fixed in the Bitbucket Server and Bitbucket Data Center releases 8.5.0, 8.4.2, 7.17.12, 7.21.6, 8.0.5, 8.1.5, 8.3.3, 8.2.4, 7.6.19. The vulnerability does not appear in the bitbucket.org cloud service, but only affects products for installation on their facilities. The issue also does not occur on Bitbucket Server and Data Center servers that use PostgreSQL for data storage.
Source: opennet.ru