Bifrost vulnerable to authentication check flaw that leads to authentication bypass
Package
Affected versions
< 1.8.7-release
Patched versions
1.8.7-release
Description
Published to the GitHub Advisory Database
Oct 18, 2022
Reviewed
Oct 18, 2022
Published by the National Vulnerability Database
Oct 19, 2022
Last updated
Feb 2, 2023
Impact
The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.
Patches
https://github.com/brockercap/Bifrost/pull/201
Workarounds
Upgrade to the latest version
References