Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-32169

Date: September 28, 2022

Overview

The "Bytebase" application does not restrict low privilege user to access "admin issues"

Details

The "Bytebase" application does not restrict low privilege user to access "admin issues" for which an unauthorized user can view the "OPEN" and "CLOSED" issues by "Admin" and the affected endpoint is "/issue".

PoC Details

1. Login into the application as both "Admin" (admin@example.com:admin) and Developer "User" (user@example.com:user). Now you can see "User" with "Developer" role doesn't have "Issues" functionality.
2. Now go to issues from "admin" user and you will see the endpoint "/issue" copy the endpoint or url ("http://localhost:8080/issue";) and open it from "User".
3. Then click on "User" and select "Admin".
4. You will see that it will disclose "OPEN" and "CLOSED" issues by "Admin".

Affected Environments

Bytebase versions 0.1.0 through 1.0.4

Prevention

No fix

Language: Go

Good to know:

icon

Improper Authorization

CWE-285

Incorrect Permission Assignment for Critical Resource

CWE-732
icon

Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None

Related Resources (4)

https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/issue.ts#L108-#L187
https://nvd.nist.gov/vuln/detail/CVE-2022-32169
https://www.mend.io/vulnerability-database/CVE-2022-32169
https://www.mend.io/vulnerability-database/CVE-2022-32169