CVE-2022-43781

CRITICAL

Bitbucket Server/Data Center - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-43781. PoCs published by Ry0taK, y4er, Shelby Pace, including Metasploit module exploits/multi/http/bitbucket_env_var_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-43781, an authenticated command injection vulnerability in Bitbucket. It achieves RCE by injecting the `GIT_EXTERNAL_DIFF` environment variable into a user's username, which is executed when Bitbucket generates a diff.

Description

There is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to execute arbitrary code on the system. This vulnerability can be unauthenticated if the Bitbucket Server and Data Center instance has enabled “Allow public signup”.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Ry0taK, y4er, Shelby Pace · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/bitbucket_env_var_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-43781, an authenticated command injection vulnerability in Bitbucket. It achieves RCE by injecting the `GIT_EXTERNAL_DIFF` environment variable into a user's username, which is executed when Bitbucket generates a diff.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Bitbucket Server and Data Center (various versions)

Auth required

Prerequisites: Valid admin credentials for Bitbucket · Access to the Bitbucket login page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mitigation, Release Notes, Vendor Advisory

https://confluence.atlassian.com/x/Y4hXRg

Issue Tracking, Patch, Vendor Advisory

https://jira.atlassian.com/browse/BSERV-13522

Scores

CVSS v3 9.8

EPSS 0.9804

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

atlassian/bitbucket 7.0.0 - 7.6.19

Published Nov 17, 2022

Tracked Since Feb 18, 2026