Impact
It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question.
An attacker is not able to read contents of existing code monitors, only override the data.
Patches
The issue is fixed in Sourcegraph 3.42.0.
Workarounds
There is no workaround for the issue and patching is highly recommended.
References
For more information
If you have any questions or comments about this advisory:
Impact
It is possible for an authenticated Sourcegraph user to edit the Code Monitors owned by any other Sourcegraph user. This includes being able to edit both the trigger and the action of the monitor in question.
An attacker is not able to read contents of existing code monitors, only override the data.
Patches
The issue is fixed in Sourcegraph 3.42.0.
Workarounds
There is no workaround for the issue and patching is highly recommended.
References
For more information
If you have any questions or comments about this advisory: