Skip to content

Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication

High severity GitHub Reviewed Published Sep 24, 2022 in brokercap/Bifrost • Updated Jan 28, 2023

Package

gomod github.com/brokercap/Bifrost (Go)

Affected versions

<= 1.8.6-release

Patched versions

1.8.7-release

Description

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.

References

@jc3wish jc3wish published to brokercap/Bifrost Sep 24, 2022
Published by the National Vulnerability Database Sep 26, 2022
Published to the GitHub Advisory Database Sep 27, 2022
Reviewed Sep 27, 2022
Last updated Jan 28, 2023

Severity

High
8.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Weaknesses

CVE ID

CVE-2022-39219

GHSA ID

GHSA-p6fh-xc6r-g5hw

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.