Vulnerability Details : CVE-2022-31154
Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question. An attacker is not able to read contents of existing code monitors, only override the data. The issue is fixed in Sourcegraph 3.42. There are no workaround for the issue and patching is highly recommended.
Products affected by CVE-2022-31154
- cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31154
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31154
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST | |
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L |
3.1
|
2.7
|
GitHub, Inc. |
CWE ids for CVE-2022-31154
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-31154
-
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-5866-hhq9-9hpc
Indirect Object Access in Sourcegraph Code Monitoring · Advisory · sourcegraph/sourcegraph · GitHubThird Party Advisory
-
https://github.com/sourcegraph/sourcegraph/pull/37526
Code monitors: fix issue with action/trigger perms checking by camdencheek · Pull Request #37526 · sourcegraph/sourcegraph · GitHubPatch;Third Party Advisory
Jump to