Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Indirect Object Access in Sourcegraph Code Monitoring

High
ferozsalam published GHSA-5866-hhq9-9hpc Jul 26, 2022

Package

gomod Sourcegraph (Go)

Affected versions

< 3.42.0

Patched versions

3.42.0

Description

Impact

It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question.

An attacker is not able to read contents of existing code monitors, only override the data.

Patches

The issue is fixed in Sourcegraph 3.42.0.

Workarounds

There is no workaround for the issue and patching is highly recommended.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-31154

Weaknesses