Lucene search

GoogleOSV:CVE-2022-39267

HistoryOct 19, 2022 - 1:15 p.m.

CVE-2022-39267

2022-10-1913:15:08

Google

osv.dev

bifrost

middleware

authentication bypass

version 1.8.8

patched

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.

CPENameOperatorVersion
bifrosteq1.1.0-beta.13
bifrosteq1.2.1-release
bifrosteq1.5.0-release
bifrosteq1.2.2
bifrosteq1.4.4-release
bifrosteq1.0.1-release
bifrosteq1.1.0-beta.07-04
bifrosteq1.0.0-release
bifrosteq1.1.0-beta.14
bifrosteq1.1.0-beta.18

Name	Operator	Version
bifrost	eq	1.1.0-beta.13
bifrost	eq	1.2.1-release
bifrost	eq	1.5.0-release
bifrost	eq	1.2.2
bifrost	eq	1.4.4-release
bifrost	eq	1.0.1-release
bifrost	eq	1.1.0-beta.07-04
bifrost	eq	1.0.0-release
bifrost	eq	1.1.0-beta.14
bifrost	eq	1.1.0-beta.18

Rows per page:

1-10 of 701

References

github.com/brockercap/Bifrost/pull/201

github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.9%

JSON

Related for OSV:CVE-2022-39267