CVE-2022-3474

Summary

A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.

Affected Software

VendorProductVersion RangeStatus
Google LLCBazel5.0.0 < 5.3.2affected
Google LLCBazel4.0.0 < 4.2.3affected
Google LLCBazel3.0.0 < 3.7.2affected

Weaknesses

  • CWE-522: CWE-522 Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References