GHSA-p6fh-xc6r-g5hw

Source

https://github.com/advisories/GHSA-p6fh-xc6r-g5hw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-p6fh-xc6r-g5hw/GHSA-p6fh-xc6r-g5hw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p6fh-xc6r-g5hw

Aliases

Related

CVE-2022-39219

Published

2022-09-27T15:45:09Z

Modified

2024-08-21T16:28:41.447653Z

Severity

8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator

Summary

Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication

Details

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.

Database specific

{
    "nvd_published_at": "2022-09-26T14:15:00Z",
    "github_reviewed_at": "2022-09-27T15:45:09Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-287",
        "CWE-732"
    ]
}

References

Affected packages

Go / github.com/brokercap/Bifrost

Package

Name: github.com/brokercap/Bifrost; View open source insights on deps.dev
Purl: pkg:golang/github.com/brokercap/Bifrost

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.7-release

Database specific

{
    "last_known_affected_version_range": "<= 1.8.6-release"
}