Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Side-channel attack in Sourcegraph Code Monitors
Vulnerability Description
Sourcegraph is a code search and navigation engine. Sourcegraph versions 3.35 and 3.36 reintroduced a previously fixed side-channel vulnerabilitity in the Code Monitoring feature where strings in private source code could be guessed by an authenticated but unauthorized actor. This issue affects only the Code Monitoring feature, whereas CVE-2021-43823 also affected saved searches. A successful attack would require an authenticated bad actor to create many Code Monitors to receive confirmation that a specific string exists. This could allow an attacker to guess formatted tokens in source code, such as API keys. This issue was patched in versions 3.35.2 and 3.36.3 of Sourcegraph. Those who are unable to upgrade may disable the Code Monitor feature in their installation.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Sourcegraph 安全漏洞
Vulnerability Description
Sourcegraph是美国Sourcegraph公司的一款开源的代码搜索和导航工具。 Sourcegraph 3.35和3.36版本存在安全漏洞,该漏洞源于代码监视特性中重新引入了一个以前修复的侧通道漏洞,在这个漏洞中,私有源代码中的字符串可能被经过身份验证但未经授权的参与者猜测。
CVSS Information
N/A
Vulnerability Type
N/A