cbcvebase.
CVE-2022-23642
published 2022-02-18

CVE-2022-23642: Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
74.31%
99.4th percentile
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.

Affected

1 ranges
VendorProductVersion rangeFixed in
sourcegraphsourcegraph< 3.373.37

Detection & IOCsextracted from sources · hover to see the quote

url/exec
commandgit config core.sshCommand <cmd>
commandgit remote add origin git@lolololz:foo/bar.git
  • Monitor HTTP GET requests to the gitserver /exec endpoint containing JSON body with 'Args' including 'config' and 'core.sshCommand' — this is the first stage of the exploit setting the malicious SSH command.
  • Alert on git push operations via the /exec endpoint immediately following a core.sshCommand configuration call — the push is the RCE trigger step.
  • Restrict and audit all inbound HTTP requests to the gitserver service; exposure of gitserver to untrusted networks is the primary prerequisite for exploitation.
  • Look for git remote add calls via the /exec API using arbitrary or suspicious remote URLs (e.g. fake SSH remotes like git@lolololz:foo/bar.git) as an intermediate exploitation step.
  • ·The patch in version 3.37.0 introduces a feature flag that MUST be explicitly enabled for protections to be active — upgrading alone is insufficient without enabling the flag.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.