CVE-2022-41942

Опубликовано: 22 нояб. 2022

Источник: nvd

CVSS3: 7.9

CVSS3: 7.8

EPSS Низкий

Описание

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

Ссылки

https://github.com/sourcegraph/sourcegraph/pull/42553
Patch
Third Party Advisory
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-pfm3-23mh-6xjp
Third Party Advisory
https://github.com/sourcegraph/sourcegraph/pull/42553
Patch
Third Party Advisory
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-pfm3-23mh-6xjp
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*

Версия до 4.1.0 (исключая)

EPSS

Процентиль: 50%

0.0027

Низкий

7.9 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-20

EPSS

Процентиль: 50%

0.0027

Низкий

7.9 High

CVSS3

7.8 High

CVSS3

Дефекты

CWE-20