CVE-2022-23642

HIGH

Sourcegraph gitserver sshCommand RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-23642. PoCs published by Altelus, Altelus1, Altelus1, Spencer McIntyre, including Metasploit module exploits/linux/http/sourcegraph_gitserver_sshcmd.

AI-analyzed exploit summary This exploit leverages CVE-2022-23642 to achieve RCE on Sourcegraph Gitserver by abusing the lack of restriction on git config execution, allowing arbitrary command injection via the 'core.sshCommand' parameter. The exploit triggers command execution by setting a malicious SSH command and then invoking a git push operation.

Description

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. An attacker able to make HTTP requests to internal services like gitserver is able to exploit it. This issue is patched in Sourcegraph version 3.37. As a workaround, ensure that requests to gitserver are properly protected.

Exploits (3)

exploitdb WORKING POC
by Altelus · pythonremotemultiple
https://www.exploit-db.com/exploits/50964

This exploit leverages CVE-2022-23642 to achieve RCE on Sourcegraph Gitserver by abusing the lack of restriction on git config execution, allowing arbitrary command injection via the 'core.sshCommand' parameter. The exploit triggers command execution by setting a malicious SSH command and then invoking a git push operation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sourcegraph Gitserver < 3.37.0
No auth needed
Prerequisites: Exposed Sourcegraph Gitserver service · Existing repository on the target Sourcegraph instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by Altelus1 · poc
https://github.com/Altelus1/CVE-2022-23642

This PoC exploits CVE-2022-23642 in Sourcegraph Gitserver < 3.37.0 by abusing the 'core.sshCommand' git config to achieve remote code execution. It sends crafted HTTP requests to set the malicious config and trigger execution via a git push operation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Sourcegraph Gitserver < 3.37.0
No auth needed
Prerequisites: Exposed Sourcegraph gitserver service · Existing repository on the target Sourcegraph instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Altelus1, Spencer McIntyre · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/sourcegraph_gitserver_sshcmd.rb

This Metasploit module exploits CVE-2022-23642 in Sourcegraph's gitserver by manipulating the `core.sshCommand` git configuration to achieve remote code execution. It automates the process of identifying cloned repositories, setting the malicious configuration, and triggering execution via a git push operation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sourcegraph gitserver < 3.37.0 (with feature flag disabled)
No auth needed
Prerequisites: Access to the gitserver's HTTP API (port 3178 by default) · At least one cloned repository on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/sourcegraph/sourcegraph/pull/30833

Scores

CVSS v3 8.8
EPSS 0.7431
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-862 CWE-94
Status published
Products (1)
sourcegraph/sourcegraph < 3.37
Published Feb 18, 2022
Tracked Since Feb 18, 2026