Lucene search

GoogleOSV:GHSA-MXRX-FG8P-5P5J

HistoryOct 18, 2022 - 7:57 p.m.

Bifrost vulnerable to authentication check flaw that leads to authentication bypass

2022-10-1819:57:50

Google

osv.dev

bifrost

authentication bypass

admin

monitor

upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

42.9%

JSON

Impact

The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.

Patches

https://github.com/brockercap/Bifrost/pull/201

Workarounds

Upgrade to the latest version

CPENameOperatorVersion
github.com/brokercap/bifrostlt1.8.7-release

CPE	Name	Operator	Version
	github.com/brokercap/bifrost	lt	1.8.7-release

References

github.com/brockercap/Bifrost/pull/201

github.com/brokercap/Bifrost

github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a

github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j

nvd.nist.gov/vuln/detail/CVE-2022-39267

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

42.9%

JSON

Related for OSV:GHSA-MXRX-FG8P-5P5J