Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3
A Sourcegraph docker container version 3.63.3 has been used for the testing. The gitserver port 3178 has also been exposed
- Exposed Sourcegraph gitserver
- Existing repo on sourcegraph