CVE-2022-23643

MEDIUM

Sourcegraph 3.35.0-3.35.1 - Authenticated Exposure of Sensitive Information via Code Monitoring Feature

Title source: llm

Description

Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation.

References (2)

Core 2

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-xqv2-x6f2-w3pf

Patch, Third Party Advisory x_refsource_misc

https://github.com/sourcegraph/sourcegraph/pull/30547

Scores

CVSS v3 6.5

EPSS 0.0079

EPSS Percentile 51.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-203

Status published

Products (1)

sourcegraph/sourcegraph 3.35.0 - 3.35.2

Published Feb 15, 2022

Tracked Since Feb 18, 2026