icon

We found results for “

CVE-2022-32169

Date: September 20, 2022

Overview

The "Bytebase" application does not restrict low privilege user to access "admin issues"

Details

The "Bytebase" application does not restrict low privilege user to access "admin issues" for which an unauthorized user can view the "OPEN" and "CLOSED" issues by "Admin" and the affected endpoint is "/issue".

PoC Details

1. Login into the application as both "Admin" (admin@example.com:admin) and Developer "User" (user@example.com:user). Now you can see "User" with "Developer" role doesn't have "Issues" functionality.
2. Now go to issues from "admin" user and you will see the endpoint "/issue" copy the endpoint or url ("http://localhost:8080/issue";) and open it from "User".
3. Then click on "User" and select "Admin".
4. You will see that it will disclose "OPEN" and "CLOSED" issues by "Admin".

Affected Environments

Bytebase versions 0.1.0 through 1.0.4

Prevention

No fix

Language: Go

Good to know:

icon
icon

Improper Authorization

CWE-285
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None