CVE-2022-23642

Sourcegraph prior to 3.37 is vulnerable to remote code execution in the gitserver service due to insufficient restriction on git config execution. The issue arises when an attacker who can access internal gitserver HTTP endpoints can set the git core.sshCommand option, causing git to execute arbi...

CVE-2022-23643

CVE-2022-23643 covers a side-channel vulnerability in Sourcegraph Code Monitors. Affected are Sourcegraph 3.35 and 3.36, where private-source strings could be inferred by an authenticated but unauthorized actor via the Code Monitoring feature. The root cause is a reintroduced issue that was previ...

CVE-2022-29171

Sourcegraph ≤ 3.37.0 is vulnerable to Remote Code Execution in the gitserver service. The Gitolite code-host integration with Phabricator lets an administrator who can edit/add a Gitolite code-host and has admin access to Sourcegraph’s bundled Grafana instance modify the callsignCommand, which ca...

CVE-2022-31155

Sourcegraph includes an authorization bug that, in versions before 3.41.0, allows an attacker to overwrite (delete) other users’ saved searches with attacker-controlled data. The vulnerability does not enable reading of others’ saved searches. The issue is mitigated by upgrading to Sourcegraph 3....

CVE-2022-41942

CVE-2022-41942 affects Sourcegraph’s gitserver component. A command injection existed in the /list-gitolite endpoint due to lack of input validation on the host parameter, exploitable only if an attacker can send local requests to gitserver. Affected versions are those prior to 4.1.0; the issue i...

CVE-2022-31154

CVE-2022-31154 affects Sourcegraph (code search/navigation). An authenticated user can edit Code Monitors owned by other users, allowing override of trigger and action data without reading monitor contents. Root cause is improper restrictions on Code Monitors; no read access gained. The issue is ...

CVE-2022-41943

The CVE-2022-41943 entry concerns Sourcegraph, a code intelligence platform. A site administrator could have executed arbitrary commands on Gitserver via the experimental customGitFetch feature, which is now disabled by default. The issue is patched in Sourcegraph version 4.1.0. In affected envir...

CVE-2021-43823

Sourcegraph before version 3.33.2 is affected by a side-channel vulnerability in the Saved Searches and Code Monitoring features. An authenticated but unauthorized actor could create many Saved Searches or Code Monitors to infer whether specific strings exist in private source code, potentially e...

CVE-2020-12283

Sourcegraph before 3.15.1 is affected by an improper validation in the SafeRedirectURL method (cmd/frontend/auth/redirect.go), leading to a vulnerable authentication workflow (example: //foo//example.com). The issue is tied to the authentication redirect logic and can enable an open redirect/auth...

CVE-2021-32787

CVE-2021-32787 affects Sourcegraph before version 3.30.0. The vulnerability exposes information in the site-admin area to regular users, leaking daily usage statistics and code intelligence uploads/indexes while not allowing alteration of other features. The root cause is improper access to site-...