Headline
CVE-2022-23642
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the gitserver service. The service acts as a git exec proxy, and fails to properly restrict calling git config. This allows an attacker to set the git core.sshCommand option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
Impact
Sourcegraph is vulnerable to RCE in the gitserver service. The service acts as a git exec proxy, and failed to properly restrict calling git config. This allows an attacker set the git core.sshCommand option, which sets git to use the specified command instead of ssh when they need to connect to a remote system.
Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it.
Patches
This issue is patched in Sourcegraph version 3.37.
Workarounds
Ensuring that requests to gitserver are properly protected (for example using Kubernetes network policies). It is strongly recommended to upgrade the application to get a definitive patch.
References
- PR with a patch
For more information
- Email us at [email protected]
Related news
A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.
Sourcegraph Gitserver version 3.36.3 suffers from a remote code execution vulnerability.