cvedb.io
CVE-2022-29171
MEDIUM · CVSS 6.6
EPSS exploitation probability: 0%
Published 2022-05-06T00:15:08.047 · Last modified 2026-06-17T04:39:44.313

Summary

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the git

Affected products

sourcegraph — sourcegraph

Does this affect you?

Add your gear to cvedb and we'll alert you only when sourcegraph ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.