CVE-2022-32170

🗓️ 28 Sep 2022 09:30:18Reported by MendType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 333 Views🌐 WEB

"Bytebase" app allows unauthorized access to admin project

Reporter	Title	Published	Views	Family All 12
CNNVD	Bytebase 授权问题漏洞	28 Sep 202200:00	–	cnnvd
CNVD	Bytebase licensing issue vulnerability	30 Sep 202200:00	–	cnvd
Cvelist	CVE-2022-32170 bytebase - Improper Authorization	28 Sep 202209:30	–	cvelist
EUVD	EUVD-2022-6762	3 Oct 202520:07	–	euvd
Github Security Blog	Bytebase allows low-privilege users to view admin projects	29 Sep 202200:00	–	github
NVD	CVE-2022-32170	28 Sep 202210:15	–	nvd
OSV	CVE-2022-32170	28 Sep 202210:15	–	osv
OSV	GHSA-9MMC-27GW-W6MQ Bytebase allows low-privilege users to view admin projects	29 Sep 202200:00	–	osv
Prion	Code injection	28 Sep 202210:15	–	prion
Positive Technologies	PT-2022-21133 · Bytebase · Bytebase	28 Sep 202200:00	–	ptsecurity

NVD

Node

bytebase bytebaseRange0.1.0–1.0.4

[
  {
    "product": "bytebase",
    "vendor": "bytebase",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.1.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "1.0.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
mend	www.mend.io/vulnerability-database/CVE-2022-32170
github	www.github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts

Parameter	Position	Path	Description	CWE
user	query param	/api/project?user=${userId}	Unauthorized low-privilege user can access admin projects by supplying a userId, exposing admin-created projects.	CWE-285