CVE-2022-41942: Sourcegraph Command Injection Vulnerability in Versions Prior to 4.1.

The Sourcegraph platform offers code intelligence to help developers with their coding tasks. Unfortunately, a major vulnerability has been discovered in the popular gitserver service in versions prior to 4.1.. This vulnerability allowed command injection, making it possible for attackers to execute commands inside the container. In this post, we'll discuss the details of this vulnerability, including a code snippet and related references, and explain why it's crucial to update your instance to version 4.1. or later.

Vulnerability Details

The command injection vulnerability in Sourcegraph was introduced by insufficient input validation on the "host" parameter of the /list-gitolite endpoint. This endpoint is used to list repositories hosted on Gitolite, a popular git server. The vulnerability exists across all Sourcegraph deployments.

Exploit

An attacker could use this vulnerability to send a crafted request to gitserver, allowing them to execute arbitrary commands inside the container. However, to be successful, the attacker would need the ability to send local requests to gitserver.

Here's an example of a vulnerable request

POST /list-gitolite?host=;cat%20/etc/passwd HTTP/1.1
Host: gitserver.example.com
Content-Type: application/json
Content-Length: 

As a result of this request, gitserver will execute the command cat /etc/passwd, potentially revealing sensitive information from the server.

Mitigation

The Sourcegraph team has addressed this vulnerability in version 4.1.. To mitigate the risk, it is imperative that you upgrade your instance to 4.1. or a later version as soon as possible. Further details can be found in the official Sourcegraph 4.1. release notes.

For more information and details on this vulnerability, you can consult the following resources

1. The official CVE-2022-41942 entry on the MITRE website.
2. Sourcegraph's own Security Advisory addressing this vulnerability.
3. The GitHub repository for Sourcegraph's platform, including source code and release notes.

Conclusion

In conclusion, the CVE-2022-41942 vulnerability in Sourcegraph's gitserver service is a severe command injection issue, affecting all deployments using versions prior to 4.1.. To protect your instance and prevent potential exploits, it is critical to update to version 4.1. or later. Stay informed of additional updates and security advisories by monitoring Sourcegraph's release notes and its official website.

Timeline

Published on: 11/22/2022 19:15:00 UTC
Last modified on: 11/26/2022 03:30:00 UTC