GHSA-mxrx-fg8p-5p5j

Suggest an improvement
Source
https://github.com/advisories/GHSA-mxrx-fg8p-5p5j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-mxrx-fg8p-5p5j/GHSA-mxrx-fg8p-5p5j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mxrx-fg8p-5p5j
Aliases
Published
2022-10-18T19:57:50Z
Modified
2024-08-21T16:28:58.072327Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Bifrost vulnerable to authentication check flaw that leads to authentication bypass
Details

Impact

The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.

Patches

https://github.com/brockercap/Bifrost/pull/201

Workarounds

Upgrade to the latest version

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2022-10-19T13:15:00Z",
    "github_reviewed_at": "2022-10-18T19:57:50Z"
}
References

Affected packages

Go / github.com/brokercap/Bifrost

Package

Name
github.com/brokercap/Bifrost
View open source insights on deps.dev
Purl
pkg:golang/github.com/brokercap/Bifrost

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.7-release

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-mxrx-fg8p-5p5j/GHSA-mxrx-fg8p-5p5j.json"