CVE-2022-31155

Unauthorized overwriting of saved searches in Sourcegraph

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.

Sourcegraph es un motor de búsqueda y navegación de código abierto. En Sourcegraph versiones anteriores a 3.41.0, es posible que un atacante borre las búsquedas guardadas de otros usuarios debido a un error en la comprobación de la autorización. La vulnerabilidad no permite leer las búsquedas guardadas de otros usuarios, sólo sobrescribirlas con búsquedas controladas por el atacante. El problema está parcheado en Sourcegraph versión 3.41.0. No se presenta una mitigación para este problema y es recomendado encarecidamente la actualización a una versión segura

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-08-01 CVE Published
2024-02-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

References (2)

URL	Tag	Source
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59	2023-11-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sourcegraph Search vendor "Sourcegraph"		Sourcegraph Search vendor "Sourcegraph" for product "Sourcegraph"				< 3.41.0 Search vendor "Sourcegraph" for product "Sourcegraph" and version " < 3.41.0"		-		Affected