Skip to content

Authentication check flaw leads to authentication bypass

High
jc3wish published GHSA-mxrx-fg8p-5p5j Oct 16, 2022

Package

gomod https://github.com/brokercap/Bifrost/tree/master/admin/controller (Go)

Affected versions

<=v1.8.6-release

Patched versions

v1.8.7-release

Description

Impact

The admin and monitor user groups need to be authenticated by username and password.
If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.

Patches

https://github.com/brockercap/Bifrost/pull/201

Workarounds

Upgrade to the latest version

Severity

High

CVE ID

CVE-2022-39267

Weaknesses

No CWEs