Bugzilla – Bug 1204784
VUL-0: CVE-2022-3474: bazel, bazel3.4, bazel3.7: GrpcRemoteDownloader sends credentials of all domains to remote assets API
Last modified: 2022-10-27 08:15:02 UTC
A bad credential handling in the remote assets API for Bazel versions prior to
5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required
ones for the requests. We recommend upgrading to versions later than or equal to
5.3.2 or 4.2.3.