GHSA-9MMC-27GW-W6MQ

Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2025-05-21 16:43
VLAI?
Summary
Bytebase allows low-privilege users to view admin projects
Details

Overview

The "Bytebase" application does not restrict low privilege user from accessing admin projects

Details

The "Bytebase" application does not restrict low privilege user from accessing admin projects for which an unauthorized user can view the "projects" created by "Admin". The affected endpoint is /api/project?user=${userId}.

PoC

  1. Log in to the application as both "Admin" (admin@example.com:admin) and Developer "User" (user@admin.com:user) and then click on "Projects".
  2. Now open "Burp suite" and turn "Intercept on" and from "admin" dashboard click on "projects" and see the "user id" of "admin" in the capture request.
  3. Note the "user id" and "Forward" the request and again capture the request of "projects" from the "user" dashboard and change "user id" to "admin user id" and "Forward" the request.
  4. Now "user" can see the "projects" created by "admin".
Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bytebase/bytebase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "last_affected": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-32170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T20:10:21Z",
    "nvd_published_at": "2022-09-28T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Overview\nThe \"Bytebase\" application does not restrict low privilege user from accessing admin projects\n\n### Details\nThe \"Bytebase\" application does not restrict low privilege user from accessing admin projects for which an unauthorized user can view the \"projects\" created by \"Admin\". The affected endpoint is `/api/project?user=${userId}`.\n\n### PoC\n1. Log in to the application as both \"Admin\" (`admin@example.com:admin`) and Developer \"User\" (`user@admin.com:user`) and then click on \"Projects\".\n2. Now open \"Burp suite\" and turn \"Intercept on\" and from \"admin\" dashboard click on \"projects\" and see the \"user id\" of \"admin\" in the capture request.\n3. Note the \"user id\" and \"Forward\" the request and again capture the request of \"projects\" from the \"user\" dashboard and change \"user id\" to \"admin user id\" and \"Forward\" the request.\n4. Now \"user\" can see the \"projects\" created by \"admin\".",
  "id": "GHSA-9mmc-27gw-w6mq",
  "modified": "2025-05-21T16:43:52Z",
  "published": "2022-09-29T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32170"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytebase/bytebase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197"
    },
    {
      "type": "WEB",
      "url": "https://www.mend.io/vulnerability-database/CVE-2022-32170"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Bytebase allows low-privilege users to view admin projects"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.