QwikSec

Security Database

CVE

CWE

Training

CVE-2022-23642

Published: Feb 18, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.

Vendor	Product	Versions
sourcegraph	sourcegraph	affected `< 3.37`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9

x_refsource_CONFIRM

https://github.com/sourcegraph/sourcegraph/pull/30833

x_refsource_MISC

http://packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.html

x_refsource_MISC

http://packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.