CVE-2022-23642

Code Injection in Sourcegraph

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.

Sourcegraph es un motor de búsqueda y navegación de código. Sourcegraph versiones anteriores a 3.37, es vulnerable a una ejecución de código remota en el servicio "gitserver". El servicio actúa como un proxy de git exec, y no restringe apropiadamente la llamada a "git config". Esto permite a un atacante configurar la opción git "core.sshCommand", que establece que git use el comando especificado en lugar de ssh cuando necesite conectarse a un sistema remoto. Una explotación de esta vulnerabilidad depende de cómo sea desplegado Sourcegraph. Un atacante capaz de hacer peticiones HTTP a servicios internos como gitserver es capaz de explotarla. Este problema está parcheado en la versión 3.37 de Sourcegraph. Como medida de mitigación, asegúrate de que las peticiones a gitserver están correctamente protegidas

A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-19 CVE Reserved
2022-02-18 CVE Published
2022-06-10 First Exploit
2024-08-03 CVE Updated
2025-02-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-862: Missing Authorization

CAPEC

References (8)

URL	Tag	Source

URL	Date	SRC
https://packetstorm.news/files/id/167741	2022-07-13
https://packetstorm.news/files/id/167506	2022-06-20
https://www.exploit-db.com/exploits/50964	2022-06-14
https://github.com/Altelus1/CVE-2022-23642	2022-06-10
http://packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.html	2024-08-03
http://packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.html	2024-08-03

URL	Date	SRC
https://github.com/sourcegraph/sourcegraph/pull/30833	2023-06-27
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9	2022-02-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sourcegraph Search vendor "Sourcegraph"		Sourcegraph Search vendor "Sourcegraph" for product "Sourcegraph"				< 3.37 Search vendor "Sourcegraph" for product "Sourcegraph" and version " < 3.37"		-		Affected