First published: Mon Aug 01 2022(Updated: )
Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question. An attacker is not able to read contents of existing code monitors, only override the data. The issue is fixed in Sourcegraph 3.42. There are no workaround for the issue and patching is highly recommended.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Sourcegraph Sourcegraph | <3.42.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-31154 is a vulnerability in Sourcegraph, an open-source code search and navigation engine, that allows an authenticated user to edit Code Monitors owned by other users.
CVE-2022-31154 has a severity rating of 4.3, which is considered medium.
An attacker can exploit CVE-2022-31154 by editing the trigger and action of Code Monitors owned by other users on Sourcegraph.
Sourcegraph versions up to and excluding 3.42.0 are affected by CVE-2022-31154.
To fix CVE-2022-31154, users should update Sourcegraph to version 3.42.0 or later.