Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1teHJ4LWZnOHAtNXA1as4AAvaq
Bifrost vulnerable to authentication check flaw that leads to authentication bypass
Impact
The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.
Patches
https://github.com/brockercap/Bifrost/pull/201
Workarounds
Upgrade to the latest version
Permalink: https://github.com/advisories/GHSA-mxrx-fg8p-5p5jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1teHJ4LWZnOHAtNXA1as4AAvaq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-mxrx-fg8p-5p5j, CVE-2022-39267
References:
- https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j
- https://github.com/brockercap/Bifrost/pull/201
- https://github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a
- https://nvd.nist.gov/vuln/detail/CVE-2022-39267
- https://github.com/advisories/GHSA-mxrx-fg8p-5p5j
Blast Radius: 0.0
Affected Packages
go:github.com/brokercap/Bifrost
Dependent packages: 0Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.8.7-release
Fixed in: 1.8.7-release
All affected versions: 1.1.0, 1.2.2
All unaffected versions: