CVE-2022-39267: Bifrost vulnerable to authentication check flaw that leads to authentication bypass

October 19, 2022 (updated October 20, 2022)

Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.

References

github.com/advisories/GHSA-mxrx-fg8p-5p5j
github.com/brockercap/Bifrost/pull/201
github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a
github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j

Code Behaviors & Features

Detect and mitigate CVE-2022-39267 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →