CVE-2022-23642

🗓️ 18 Feb 2022 22:15:11Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 163 Views🌐 WEB

Sourcegraph code search & navigation engine vulnerable to remote code execution in gitserver

Reporter	Title	Published	Views	Family All 21
0day.today	Sourcegraph Gitserver 3.36.3 - Remote Code Execution Exploit	14 Jun 202200:00	–	zdt
0day.today	Sourcegraph gitserver sshCommand Remote Command Execution Exploit	14 Jul 202200:00	–	zdt
GithubExploit	Exploit for Code Injection in Sourcegraph	10 Jun 202206:12	–	githubexploit
Circl	CVE-2022-23642	19 Feb 202202:38	–	circl
CNNVD	Sourcegraph 代码注入漏洞	18 Feb 202200:00	–	cnnvd
CNVD	Sourcegraph code injection vulnerability	22 Feb 202200:00	–	cnvd
Check Point Advisories	Sourcegraph Command Injection (CVE-2022-23642)	20 Jul 202200:00	–	checkpoint_advisories
Cvelist	CVE-2022-23642 Code Injection in Sourcegraph	18 Feb 202222:15	–	cvelist
Exploit DB	Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)	14 Jun 202200:00	–	exploitdb
Metasploit	Sourcegraph gitserver sshCommand RCE	16 Jul 202217:42	–	metasploit

NVD

Vulners

Node

sourcegraph sourcegraphRange<3.37

[
  {
    "product": "sourcegraph",
    "vendor": "sourcegraph",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.37"
      }
    ]
  }
]

Source	Link
github	www.github.com/sourcegraph/sourcegraph/pull/30833
packetstormsecurity	www.packetstormsecurity.com/files/167506/Sourcegraph-Gitserver-3.36.3-Remote-Code-Execution.html
packetstormsecurity	www.packetstormsecurity.com/files/167741/Sourcegraph-gitserver-sshCommand-Remote-Command-Execution.html
github	www.github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9

Parameter	Position	Path	Description	CWE
Repo	request body	/exec	Endpoint used to modify gitserver config (core.sshCommand) via exec API, enabling remote code execution.	CWE-862, CWE-94
Args	request body	/exec	Endpoint used to modify gitserver config (core.sshCommand) via exec API, enabling remote code execution.	CWE-862, CWE-94