Headline
CVE-2022-3474: GrpcRemoteDownloader sends credentials of all domains to remote assets API
A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.
Impact
When using --experimental_remote_downloader, Bazel delegates downloading exteral
repositories to a remote server implementing the remote assets API. When doing
so, Bazel sends the user-provided credentials for the downloads as qualifier to
the remote service. It does send all credentials Bazel knows about, not just
credentials for the URLs it asks remote to download.
Sending any credentials to the remote server is already questonable and
inefficient (as the qualifier is used as part of the cache key remotely), but
Bazel should definitely not send credentials for unrelated domains.
Here’s a test that demonstrates the behavior:
https://cs.opensource.google/bazel/bazel/+/master:src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java;l=345;drc=b750f8c0242d7fcb581d368d8b75e59c51c13a61
Patches
Has the problem been patched? What versions should users upgrade to?
Patches not yet available.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Only use a trusted remote downloader server and avoid giving Bazel unrelated credentials.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open an issue in example link to repo
- Email us at example email address