What is CVE-2022-29171?

CVE-2022-29171 is a vulnerability that allows remote code execution in the gitserver service of Sourcegraph versions before 3.38.0.

How severe is CVE-2022-29171?

CVE-2022-29171 has a severity score of 7.2 (High).

Which software versions are affected by CVE-2022-29171?

Sourcegraph versions before 3.38.0 are affected by CVE-2022-29171.

What is the Common Weakness Enumeration (CWE) ID for CVE-2022-29171?

CVE-2022-29171 is associated with CWE-94 (Improper Control of Generation of Code) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

How can I fix CVE-2022-29171?

To fix CVE-2022-29171, upgrade Sourcegraph to version 3.38.0 or above.

Vulnerability/
CVE-2022-29171

high

7.2

CWE

94 74

6/5/2022

21/7/2023

CVE-2022-29171: Code Injection

First published: Fri May 06 2022(Updated: )

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Sourcegraph Sourcegraph	<3.38.0

Never miss a vulnerability like this again

Reference Links

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-r2m9-hfg8-4c38

Frequently Asked Questions

What is CVE-2022-29171?
CVE-2022-29171 is a vulnerability that allows remote code execution in the gitserver service of Sourcegraph versions before 3.38.0.
How severe is CVE-2022-29171?
CVE-2022-29171 has a severity score of 7.2 (High).
Which software versions are affected by CVE-2022-29171?
Sourcegraph versions before 3.38.0 are affected by CVE-2022-29171.
What is the Common Weakness Enumeration (CWE) ID for CVE-2022-29171?
CVE-2022-29171 is associated with CWE-94 (Improper Control of Generation of Code) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
How can I fix CVE-2022-29171?
To fix CVE-2022-29171, upgrade Sourcegraph to version 3.38.0 or above.

collector/nvd-index
agent/references
agent/weakness
agent/severity
agent/author
agent/event
agent/type
agent/description
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/nvd-api
agent/software-canonical-lookup-request
vendor/sourcegraph
canonical/sourcegraph sourcegraph

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.