Arbitrary Code Execution Affecting github.com/sourcegraph/sourcegraph/cmd/gitserver/server package, versions <3.38.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.34% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMSOURCEGRAPHSOURCEGRAPHCMDGITSERVERSERVER-2808876
  • published6 May 2022
  • disclosed6 May 2022
  • creditUnknown

Introduced: 6 May 2022

CVE-2022-29171  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade github.com/sourcegraph/sourcegraph/cmd/gitserver/server to version 3.38.0 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution in the gitserver service. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation.

References

CVSS Scores

version 3.1