CVE-2022-41942

2022-11-2219:15:18

CWE-78

CWE-20

[email protected]

web.nvd.nist.gov

sourcegraph

code intelligence

cve-2022-41942

command injection

gitserver

vulnerability

input validation

patch

nvd

7.9 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

0.0004 Low

EPSS

Percentile

13.1%

JSON

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

Affected configurations

Vulners

NVD

Node

sourcegraphsourcegraphRange<4.1.0

VendorProductVersionCPE
sourcegraphsourcegraph*cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sourcegraph	sourcegraph	*	cpe:2.3:a:sourcegraph:sourcegraph::::::::

CNA Affected

[
  {
    "vendor": "sourcegraph",
    "product": "sourcegraph",
    "versions": [
      {
        "version": "< 4.1.0",
        "status": "affected"
      }
    ]
  }
]