CVE-2022-29171

Name of the Vulnerable Software and Affected Versions Sourcegraph versions prior to 3.38.0

Description The issue concerns Remote Code Execution in the gitserver service of Sourcegraph, a fast and featureful code search and navigation engine. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a callsignCommand, which can be changed arbitrarily and run remotely by an administrator with site-admin privileges and administrative access to the bundled Grafana instance. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires site-admin privileges on the instance of Sourcegraph, administrative privileges on the bundled Grafana monitoring instance, and knowledge of the gitserver IP address or DNS name.

Recommendations For versions prior to 3.38.0, upgrade to version 3.38.0 to resolve the issue. As a temporary workaround, consider disabling Gitolite code hosts until the issue is resolved.