CVE-2022-23643

Name of the Vulnerable Software and Affected Versions Sourcegraph versions 3.35 through 3.36.2

Description The issue is related to a side-channel vulnerability in the Code Monitoring feature, where strings in private source code could be guessed by an authenticated but unauthorized actor. A successful attack would require creating many Code Monitors to receive confirmation that a specific string exists, potentially allowing an attacker to guess formatted tokens in source code, such as API keys.

Recommendations For Sourcegraph versions 3.35 through 3.36.2, update to version 3.35.2 or 3.36.3 to resolve the issue. As a temporary workaround for those unable to upgrade, consider disabling the Code Monitor feature in the installation.