CVE-2022-23642
published 2022-02-18CVE-2022-23642: Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
74.31%
99.4th percentile
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sourcegraph | sourcegraph | < 3.37 | 3.37 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to the gitserver /exec endpoint containing JSON body with 'Args' including 'config' and 'core.sshCommand' — this is the first stage of the exploit setting the malicious SSH command. ↗
- →Alert on git push operations via the /exec endpoint immediately following a core.sshCommand configuration call — the push is the RCE trigger step. ↗
- →Restrict and audit all inbound HTTP requests to the gitserver service; exposure of gitserver to untrusted networks is the primary prerequisite for exploitation. ↗
- →Look for git remote add calls via the /exec API using arbitrary or suspicious remote URLs (e.g. fake SSH remotes like git@lolololz:foo/bar.git) as an intermediate exploitation step. ↗
- ·The patch in version 3.37.0 introduces a feature flag that MUST be explicitly enabled for protections to be active — upgrading alone is insufficient without enabling the flag. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Exploit-DB
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
exploitdb·2022-06-14·CVSS 8.8
CVE-2022-23642 [HIGH] Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
---
# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)
# Date: 2022-06-10
# Exploit Author: Altelus
# Vendor Homepage: https://about.sourcegraph.com/
# Version: 3.63.3
# Tested on: Linux
# CVE : CVE-2022-23642
# Docker Container: sourcegraph/server:3.36.3
# Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service.
# This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed
# on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible
# if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
#
# Exploitation parameters:
# - Exposed Sourcegraph gitserver
# - Existing repo o
Metasploit
Sourcegraph gitserver sshCommand RCE
metasploit
Sourcegraph gitserver sshCommand RCE
Sourcegraph gitserver sshCommand RCE
A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.htmlhttps://github.com/sourcegraph/sourcegraph/pull/30833https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9http://packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.htmlhttps://github.com/sourcegraph/sourcegraph/pull/30833https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9
2022-02-18
Published