Bazel Credential Leak via Remote Assets API (>=5.3.2/4.2.3)
CVE-2022-3474 Published on October 26, 2022
Bazel leaks user credentials through the remote assets API
A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2022-3474
Want to know whenever a new CVE is published for Google Bazel? stack.watch will email you.
Affected Versions
Google LLC Bazel:- Version 5.0.0 and below 5.3.2 is affected.
- Version 4.0.0 and below 4.2.3 is affected.
- Version 3.0.0 and below 3.7.2 is affected.
- Version 5.0.0 and below 5.3.2 is affected.
- Version 4.0.0 and below 4.2.3 is affected.
- Version 3.0.0 and below 3.7.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.