CVE-2022-41942 : Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a comman

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the `/list-gitolite` endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

Published 2022-11-22 19:15:18

Updated 2022-11-26 03:30:52

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2022-41942

Sourcegraph » Sourcegraph
Versions before (<) 4.1.0
cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41942

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 21 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41942

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.9	HIGH	CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L	1.3	6.0	GitHub, Inc.
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2022-41942

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Primary)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-41942

https://github.com/sourcegraph/sourcegraph/pull/42553

Add hostname validation by evict · Pull Request #42553 · sourcegraph/sourcegraph · GitHub
Patch;Third Party Advisory
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-pfm3-23mh-6xjp

Command Injection in gitserver · Advisory · sourcegraph/sourcegraph · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-41942

Products affected by CVE-2022-41942

Exploit prediction scoring system (EPSS) score for CVE-2022-41942

CVSS scores for CVE-2022-41942

CWE ids for CVE-2022-41942

References for CVE-2022-41942