First published: Fri Feb 18 2022(Updated: )
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Sourcegraph Sourcegraph | <3.37 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-23642 is a vulnerability that affects Sourcegraph, a code search and navigation engine, prior to version 3.37.
CVE-2022-23642 has a severity rating of 8.8, which is considered high.
CVE-2022-23642 allows for remote code execution in the `gitserver` service of Sourcegraph.
An attacker can exploit CVE-2022-23642 by setting the git `core.sshCommand` to execute arbitrary commands.
To fix CVE-2022-23642, update Sourcegraph to version 3.37 or above.