CVE-2022-41943

Published: Nov 22, 2022Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver when the experimental `customGitFetch` feature was enabled. This experimental feature has now been disabled by default. This issue has been patched in version 4.1.0.

Affected (1)

Products: Sourcegraph: Sourcegraph

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sourcegraph Sourcegraph	Before 4.1.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (4)

https://github.com/sourcegraph/sourcegraph/pull/42704

Source: security-advisories@github.com

Issue TrackingPatchThird Party Advisory

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-4qhq-4x4h-fxm8

Source: security-advisories@github.com

Third Party Advisory

https://github.com/sourcegraph/sourcegraph/pull/42704

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-4qhq-4x4h-fxm8

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.