CVE-2022-31155

Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other usersâ€™ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other usersâ€™ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59	Patch Third Party Advisory
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*

History

08 Aug 2022, 14:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:sourcegraph:sourcegraph::::::::
References	~~(CONFIRM) https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx -~~	(CONFIRM) https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx - Third Party Advisory
References	~~(MISC) https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59 -~~	(MISC) https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59 - Patch, Third Party Advisory

01 Aug 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-08-01 19:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-31155

Mitre link : CVE-2022-31155

CVE.ORG link : CVE-2022-31155

JSON object : View

Products Affected

sourcegraph

sourcegraph

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2022-31155", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-08-01T19:15:08.270", "references": [{"url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."}, {"lang": "es", "value": "Sourcegraph es un motor de b\u00fasqueda y navegaci\u00f3n de c\u00f3digo abierto. En Sourcegraph versiones anteriores a 3.41.0, es posible que un atacante borre las b\u00fasquedas guardadas de otros usuarios debido a un error en la comprobaci\u00f3n de la autorizaci\u00f3n. La vulnerabilidad no permite leer las b\u00fasquedas guardadas de otros usuarios, s\u00f3lo sobrescribirlas con b\u00fasquedas controladas por el atacante. El problema est\u00e1 parcheado en Sourcegraph versi\u00f3n 3.41.0. No se presenta una mitigaci\u00f3n para este problema y es recomendado encarecidamente la actualizaci\u00f3n a una versi\u00f3n segura"}], "lastModified": "2023-11-07T03:47:33.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14A4E178-28C9-4AC6-B1C3-8F66EF3DC4FD", "versionEndExcluding": "3.41.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}