Sourcegraph
CVE-2021-43823
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (github) · only source for this CVE.
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A successful attack would require an authenticated bad actor to create many Saved Searches or Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in version 3.33.2 and any future versions of Sourcegraph. We strongly encourage upgrading to secure versions. If you are unable to, you may disable Saved Searches and Code Monitors.
AnalysisAI
Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. A successful attack would require an authenticated bad actor to create many Saved Searches or Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in version 3.33.2 and any future versions of Sourcegraph. We strongly encourage upgrading to secure versions. If you are unable to, you may disable Saved Searches and Code Monitors. Affected products include: Sourcegraph. Version information: version 3.33.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Sourcegraph
View allSourcegraph is a code search and navigation engine. Rated high severity (CVSS 8.8), this vulnerability is remotely explo
Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL
Sourcegraph is a code intelligence platform. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity
sourcegraph is a code intelligence platform. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable,
Sourcegraph is a fast and featureful code search and navigation engine. Rated high severity (CVSS 7.2), this vulnerabili
Sourcegraph is an opensource code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is
Sourcegraph is an opensource code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is
Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely exp
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today