Sourcegraph
CVE-2022-23642
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the gitserver service. The service acts as a git exec proxy, and fails to properly restrict calling git config. This allows an attacker to set the git core.sshCommand option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
AnalysisAI
Sourcegraph is a code search and navigation engine. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the gitserver service. The service acts as a git exec proxy, and fails to properly restrict calling git config. This allows an attacker to set the git core.sshCommand option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected. Affected products include: Sourcegraph. Version information: version 3.37.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
More in Sourcegraph
View allSourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL
Sourcegraph is a code intelligence platform. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity
sourcegraph is a code intelligence platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable,
Sourcegraph is a fast and featureful code search and navigation engine. Rated high severity (CVSS 7.2), this vulnerabili
Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Sourcegraph is an opensource code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is
Sourcegraph is an opensource code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is
Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today