CVE-2022-31155 (GCVE-0-2022-31155)
Vulnerability from cvelistv5 – Published: 2022-08-01 18:40 – Updated: 2025-04-23 17:56
VLAI?
Summary
Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users’ saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users’ saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sourcegraph | sourcegraph |
Affected:
< 3.41.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.805Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:02:59.938801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:56:41.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sourcegraph",
"vendor": "sourcegraph",
"versions": [
{
"status": "affected",
"version": "\u003c 3.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-01T18:40:28.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"
}
],
"source": {
"advisory": "GHSA-37qp-9jq6-f6mx",
"discovery": "UNKNOWN"
},
"title": "Unauthorized overwriting of saved searches in Sourcegraph",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31155",
"STATE": "PUBLIC",
"TITLE": "Unauthorized overwriting of saved searches in Sourcegraph"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sourcegraph",
"version": {
"version_data": [
{
"version_value": "\u003c 3.41.0"
}
]
}
}
]
},
"vendor_name": "sourcegraph"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx",
"refsource": "CONFIRM",
"url": "https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx"
},
{
"name": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59",
"refsource": "MISC",
"url": "https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59"
}
]
},
"source": {
"advisory": "GHSA-37qp-9jq6-f6mx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31155",
"datePublished": "2022-08-01T18:40:28.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:56:41.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.41.0\", \"matchCriteriaId\": \"14A4E178-28C9-4AC6-B1C3-8F66EF3DC4FD\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.\"}, {\"lang\": \"es\", \"value\": \"Sourcegraph es un motor de b\\u00fasqueda y navegaci\\u00f3n de c\\u00f3digo abierto. En Sourcegraph versiones anteriores a 3.41.0, es posible que un atacante borre las b\\u00fasquedas guardadas de otros usuarios debido a un error en la comprobaci\\u00f3n de la autorizaci\\u00f3n. La vulnerabilidad no permite leer las b\\u00fasquedas guardadas de otros usuarios, s\\u00f3lo sobrescribirlas con b\\u00fasquedas controladas por el atacante. El problema est\\u00e1 parcheado en Sourcegraph versi\\u00f3n 3.41.0. No se presenta una mitigaci\\u00f3n para este problema y es recomendado encarecidamente la actualizaci\\u00f3n a una versi\\u00f3n segura\"}]",
"id": "CVE-2022-31155",
"lastModified": "2024-11-21T07:04:00.980",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
"published": "2022-08-01T19:15:08.270",
"references": "[{\"url\": \"https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-31155\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-08-01T19:15:08.270\",\"lastModified\":\"2024-11-21T07:04:00.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sourcegraph is an opensource code search and navigation engine. In Sourcegraph versions before 3.41.0, it is possible for an attacker to delete other users\u2019 saved searches due to a bug in the authorization check. The vulnerability does not allow the reading of other users\u2019 saved searches, only overwriting them with attacker-controlled searches. The issue is patched in Sourcegraph version 3.41.0. There is no workaround for this issue and updating to a secure version is highly recommended.\"},{\"lang\":\"es\",\"value\":\"Sourcegraph es un motor de b\u00fasqueda y navegaci\u00f3n de c\u00f3digo abierto. En Sourcegraph versiones anteriores a 3.41.0, es posible que un atacante borre las b\u00fasquedas guardadas de otros usuarios debido a un error en la comprobaci\u00f3n de la autorizaci\u00f3n. La vulnerabilidad no permite leer las b\u00fasquedas guardadas de otros usuarios, s\u00f3lo sobrescribirlas con b\u00fasquedas controladas por el atacante. El problema est\u00e1 parcheado en Sourcegraph versi\u00f3n 3.41.0. No se presenta una mitigaci\u00f3n para este problema y es recomendado encarecidamente la actualizaci\u00f3n a una versi\u00f3n segura\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sourcegraph:sourcegraph:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.41.0\",\"matchCriteriaId\":\"14A4E178-28C9-4AC6-B1C3-8F66EF3DC4FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/sourcegraph/sourcegraph/commit/2832d7882396a6295ba5803b5ef48dc7d5a24c59\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-37qp-9jq6-f6mx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…