CVE-2022-41942

Name of the Vulnerable Software and Affected Versions Sourcegraph versions prior to 4.1.0

Description The issue is a command injection vulnerability in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the "/list-gitolite" endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver.

Recommendations For versions prior to 4.1.0, update to version 4.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the "/list-gitolite" endpoint to minimize the risk of exploitation. Avoid using the host parameter in the affected endpoint until the issue is resolved.