CVE-2022-29171
CVE-2022-29171 is a medium-severity vulnerability in Sourcegraph with a CVSS 3.x base score of 6.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-94.
Key facts
- Severity: Medium (CVSS 3.x base score 6.6)
- CVSS v2: 6.0
- EPSS exploit prediction: 1% (65th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-94
- Affected product: Sourcegraph
- Published:
- Last modified:
Description
Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds.
Frequently asked questions
- What is CVE-2022-29171?
- Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds.
- How severe is CVE-2022-29171?
- CVE-2022-29171 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over network with high attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-29171 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (65th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-29171?
- CVE-2022-29171 affects Sourcegraph. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-29171?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-29171 published?
- CVE-2022-29171 was published on 2022-05-06 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*
More vulnerabilities in Sourcegraph
- CVE-2022-41943 — Critical (CVSS 9.0): sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver…
- CVE-2022-23642 — High (CVSS 8.8): Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code…
- CVE-2022-41942 — High (CVSS 7.9): Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in…
- CVE-2022-23643 — Medium (CVSS 6.5): Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed…
- CVE-2021-43823 — Medium (CVSS 6.5): Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel…
- CVE-2022-31154 — Medium (CVSS 6.4): Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to…
All CVEs affecting Sourcegraph →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.