CVE-2022-3474 — Insufficiently Protected Credentials in LLC Bazel

CWE-522 — Insufficiently Protected Credentials2 documents2 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 85.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google LLC Bazel Google Bazel Msrc Cbl2 Bazel 5.3.2-1 ON CBL Mariner 2.0 +2 more

Timeline

Latest updateOct 11

PublishedOct 26

Description

A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages5 packages

▶NVDgoogle/bazel3.1.0 — 4.2.3+1

▶CVEListV5google_llc/bazel5.0.0 — 5.3.2+2

▶msrcmsrc/cbl2_bazel_5.3.2-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

📋Vendor Advisories

Microsoft

Bazel leaks user credentials through the remote assets API↗2022-10-11

▶