CVE-2022-23642 — AI Deep Analysis Summary

🚨 **Essence**: Sourcegraph allows attackers to inject arbitrary commands via `git` config. <br>💥 **Consequences**: Remote Code Execution (RCE). Attackers can run bash commands on the server.…

🛡️ **Root Cause**: CWE-94 (Code Injection). <br>🔍 **Flaw**: Lack of restriction on `git` config execution. The `core.sshCommand` option is not sanitized, allowing arbitrary bash commands to be passed via HTTP arguments.

📦 **Affected**: Sourcegraph **Gitserver** service. <br>📉 **Versions**: Prior to **v3.37.0** (e.g., v3.36.3). <br>🏢 **Vendor**: Sourcegraph Inc.

💀 **Privileges**: Full RCE on the gitserver host. <br>📂 **Data**: Complete compromise of the server. Attackers can read/write files, install backdoors, and pivot to other internal systems.

⚠️ **Threshold**: Medium. <br>🔑 **Auth**: Requires **Low Privileges** (PR:L). <br>🌐 **Config**: Attacker must be able to send HTTP requests to the internal `gitserver` service.…

🔓 **Exploit**: **Yes**. <br>📜 **PoC**: Publicly available on GitHub (Altelus1/CVE-2022-23642). <br>🌍 **Status**: Tested on v3.36.3. PacketStorm links also exist.

🔍 **Self-Check**: <br>1. Check Sourcegraph version (< 3.37.0). <br>2. Verify if `gitserver` is exposed to untrusted networks. <br>3. Scan for HTTP requests manipulating `core.sshCommand` in git configs.

✅ **Fixed**: **Yes**. <br>🩹 **Patch**: Upgrade to Sourcegraph **v3.37.0** or later. <br>🔗 **Ref**: GitHub Advisory GHSA-qcmp-fx72-q8q9 and PR #30833.

🚧 **Workaround**: <br>1. **Isolate**: Ensure `gitserver` is **not** accessible from untrusted networks. <br>2. **Restrict**: Block HTTP requests to the gitserver endpoint from external IPs. <br>3.…

🔥 **Urgency**: **HIGH**. <br>⚡ **Priority**: Immediate patching required if gitserver is exposed. CVSS Score is **High** (9.8). RCE risk is severe. Do not ignore!