CVE-2022-31155 - Vulnerability Details - OpenCVE

Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sourcegraph	Sourcegraph

Configuration 1 [-]

cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59
https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-01T18:40:28

Updated: 2024-08-03T07:11:39.805Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31155

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-01T19:15:08.270

Modified: 2024-11-21T07:04:00.980

Link: CVE-2022-31155

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "sourcegraph", "vendor": "sourcegraph", "versions": [{"status": "affected", "version": "< 3.41.0"}]}], "descriptions": [{"lang": "en", "value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T18:40:28", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"}], "source": {"advisory": "GHSA-37qp-9jq6-f6mx", "discovery": "UNKNOWN"}, "title": "Unauthorized overwriting of saved searches in Sourcegraph", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31155", "STATE": "PUBLIC", "TITLE": "Unauthorized overwriting of saved searches in Sourcegraph"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sourcegraph", "version": {"version_data": [{"version_value": "< 3.41.0"}]}}]}, "vendor_name": "sourcegraph"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx", "refsource": "CONFIRM", "url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"}, {"name": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59", "refsource": "MISC", "url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"}]}, "source": {"advisory": "GHSA-37qp-9jq6-f6mx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.805Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31155", "datePublished": "2022-08-01T18:40:28", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:39.805Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*", "matchCriteriaId": "14A4E178-28C9-4AC6-B1C3-8F66EF3DC4FD", "versionEndExcluding": "3.41.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."}, {"lang": "es", "value": "Sourcegraph es un motor de b\u00fasqueda y navegaci\u00f3n de c\u00f3digo abierto. En Sourcegraph versiones anteriores a 3.41.0, es posible que un atacante borre las b\u00fasquedas guardadas de otros usuarios debido a un error en la comprobaci\u00f3n de la autorizaci\u00f3n. La vulnerabilidad no permite leer las b\u00fasquedas guardadas de otros usuarios, s\u00f3lo sobrescribirlas con b\u00fasquedas controladas por el atacante. El problema est\u00e1 parcheado en Sourcegraph versi\u00f3n 3.41.0. No se presenta una mitigaci\u00f3n para este problema y es recomendado encarecidamente la actualizaci\u00f3n a una versi\u00f3n segura"}], "id": "CVE-2022-31155", "lastModified": "2024-11-21T07:04:00.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-01T19:15:08.270", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}