CVE-2022-3474 for Bazel

Signed-off-by: Francis Perron <f@u269c.com>
2025-07-30 18:04:30 +00:00 · 2022-10-26 14:53:13 -04:00 · 2022-10-26 14:53:13 -04:00 · 49001b90ec
commit 49001b90ec
parent 1c8c6eeadb
1 changed files with 103 additions and 17 deletions
--- a/2022/3xxx/CVE-2022-3474.json
+++ b/2022/3xxx/CVE-2022-3474.json
@ -1,18 +1,104 @@
 {
-    "data_type": "CVE",
+	"CVE_data_meta": {
-    "data_format": "MITRE",
+		"ASSIGNER": "security@google.com",
-    "data_version": "4.0",
+		"ID": "CVE-2022-3474",
-    "CVE_data_meta": {
+		"STATE": "PUBLIC",
-        "ID": "CVE-2022-3474",
+		"TITLE": "Bazel leaks user credentials through the remote assets API"
-        "ASSIGNER": "cve@mitre.org",
+	},
-        "STATE": "RESERVED"
+	"affects": {
-    },
+		"vendor": {
-    "description": {
+			"vendor_data": [
-        "description_data": [
+				{
-            {
+					"product": {
-                "lang": "eng",
+						"product_data": [
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+							{
-            }
+								"product_name": "Bazel",
-        ]
+								"version": {
-    }
+									"version_data": [
-}
+										{
 											"version_affected": "<",
 											"version_name": "5.0.0",
 											"version_value": "5.3.2"
 										},
 										{
 											"version_affected": "<",
 											"version_name": "4.0.0",
 											"version_value": "4.2.3"
 										},
 										{
 											"version_affected": ">",
 											"version_name": "3.0.0",
 											"version_value": "3.0.0"
 										}
 									]
 								}
 							}
 						]
 					},
 					"vendor_name": "Google LLC"
 				}
 			]
 		}
 	},
 	"credit": [
 		{
 			"lang": "eng",
 			"value": "https://github.com/Yannic"
 		}
 	],
 	"data_format": "MITRE",
 	"data_type": "CVE",
 	"data_version": "4.0",
 	"description": {
 		"description_data": [
 			{
 				"lang": "eng",
 				"value": "A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3."
 			}
 		]
 	},
 	"generator": {
 		"engine": "Vulnogram 0.0.9"
 	},
 	"impact": {
 		"cvss": {
 			"attackComplexity": "LOW",
 			"attackVector": "ADJACENT_NETWORK",
 			"availabilityImpact": "NONE",
 			"baseScore": 3.5,
 			"baseSeverity": "LOW",
 			"confidentialityImpact": "LOW",
 			"integrityImpact": "NONE",
 			"privilegesRequired": "LOW",
 			"scope": "UNCHANGED",
 			"userInteraction": "NONE",
 			"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
 			"version": "3.1"
 		}
 	},
 	"problemtype": {
 		"problemtype_data": [
 			{
 				"description": [
 					{
 						"lang": "eng",
 						"value": "CWE-522 Insufficiently Protected Credentials"
 					}
 				]
 			}
 		]
 	},
 	"references": {
 		"reference_data": [
 			{
 				"name": "https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq",
 				"refsource": "CONFIRM",
 				"url": "https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq"
 			}
 		]
 	},
 	"source": {
 		"discovery": "EXTERNAL"
 	}
 }