CVE-2021-43823

Published: Dec 13, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.33.2 is vulnerable to a side-channel attack where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects the Saved Searches and Code Monitoring features. A successful attack would require an authenticated bad actor to create many Saved Searches or Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in version 3.33.2 and any future versions of Sourcegraph. We strongly encourage upgrading to secure versions. If you are unable to, you may disable Saved Searches and Code Monitors.

Vendor	Product	Versions
sourcegraph	sourcegraph	affected `< 3.33.2`

Weaknesses (CWE)

CWE-200

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-cpq7-hmvv-29w9

x_refsource_CONFIRM

https://github.com/sourcegraph/sourcegraph/commit/a88d90a8302c492282186d39718cd8fb093c14fa

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-43823

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References