CVE-2022-41942 HIGH

CVE-2022-41942: Sourcegraph vulnerable to Comand Injection via gitserver

Vendor Sourcegraph

Product sourcegraph

Weakness CWE-20 · Input validation

Published November 22, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

7.9/10

Attack vector Adjacent

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the `/list-gitolite` endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

Key dates

02Disclosure timeline

November 22, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-41942 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2022-41942: Sourcegraph vulnerable to Comand Injection via gitserver

01Description

02Disclosure timeline

03References

04Related CVE