CVE-2022-32170

bytebase - Improper Authorization

CVSS 4.3 MEDIUMEPSS 0.5%CWE-285

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 Sep 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products

bytebase · bytebase

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197 https://www.mend.io/vulnerability-database/CVE-2022-32170