Lucene search

GitHub Advisory DatabaseGHSA-MXRX-FG8P-5P5J

HistoryOct 18, 2022 - 7:57 p.m.

Bifrost vulnerable to authentication check flaw that leads to authentication bypass

2022-10-1819:57:50

CWE-287

GitHub Advisory Database

github.com

bifrost

authentication

flaw

bypass

admin

monitor

username

password

xmlhttprequest

request header

patches

upgrades

software

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

42.9%

JSON

Impact

The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.

Patches

https://github.com/brockercap/Bifrost/pull/201

Workarounds

Upgrade to the latest version

Affected configurations

Vulners

Node

armbifrostRange<1.8.7-release

CPENameOperatorVersion
github.com/brokercap/bifrostlt1.8.7-release

CPE	Name	Operator	Version
	github.com/brokercap/bifrost	lt	1.8.7-release

References

github.com/advisories/GHSA-mxrx-fg8p-5p5j

github.com/brockercap/Bifrost/pull/201

github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a

github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j

nvd.nist.gov/vuln/detail/CVE-2022-39267

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

42.9%

JSON

Related for GHSA-MXRX-FG8P-5P5J