Sourcegraph Security Vulnerabilities and Issues — Sourcegraph CVE List

Lucene search

SourcegraphSourcegraph

10 matches found

CVE•added 2022/02/18 11:15 p.m.•150 views

CVE-2022-23642

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the gitserver service. The service acts as a git exec proxy, and fails to properly restrict calling git config. This allows an attacker to set the git core.sshCommand opti...

8.8CVSS8.8AI score0.84439EPSS

CVE•added 2022/02/15 10:15 p.m.•107 views

CVE-2022-23643

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects onl...

6.5CVSS6.3AI score0.00234EPSS

CVE•added 2022/05/06 12:15 a.m.•74 views

CVE-2022-29171

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a callsignCommand, which is used to obtain t...

7.2CVSS7AI score0.0224EPSS

CVE•added 2022/08/01 7:15 p.m.•54 views

CVE-2022-31155

Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only over...

4.3CVSS4.5AI score0.00063EPSS

CVE•added 2022/11/22 7:15 p.m.•53 views

CVE-2022-41942

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It wa...

7.9CVSS7.8AI score0.00083EPSS

CVE•added 2022/08/01 7:15 p.m.•49 views

CVE-2022-31154

Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question. An attacker is not able to...

6.4CVSS4.7AI score0.00042EPSS

CVE•added 2022/11/22 7:15 p.m.•44 views

CVE-2022-41943

sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver when the experimental customGitFetch feature was enabled. This experimental feature has now been disabled by default. This issue has been patched in version 4.1.0.

9CVSS7.6AI score0.00034EPSS

CVE•added 2021/12/13 8:15 p.m.•38 views

CVE-2021-43823

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A succ...

6.5CVSS6.3AI score0.00234EPSS

CVE•added 2020/04/30 5:15 a.m.•33 views

CVE-2020-12283

Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.

6.1CVSS6.3AI score0.00257EPSS

CVE•added 2021/08/02 10:15 p.m.•32 views

CVE-2021-32787

Sourcegraph is a code search and navigation engine. Sourcegraph before version 3.30.0 has two potential information leaks. The site-admin area can be accessed by regular users and all information and features are properly protected except for daily usage statistics and code intelligence uploads and...

4.3CVSS4.3AI score0.00199EPSS