Search criteria
4 vulnerabilities found for bifrost by xbifrost
CVE-2022-39267 (GCVE-0-2022-39267)
Vulnerability from nvd – Published: 2022-10-19 00:00 – Updated: 2025-04-23 16:45
VLAI?
Title
Brokercap Bifrost vulnerable to authentication bypass for admin and monitor user groups
Summary
Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.
Severity ?
8.8 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/brockercap/Bifrost/pull/201"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:40.944004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:45:31.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bifrost",
"vendor": "brokercap",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.8-release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-19T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j"
},
{
"url": "https://github.com/brockercap/Bifrost/pull/201"
}
],
"source": {
"advisory": "GHSA-mxrx-fg8p-5p5j",
"discovery": "UNKNOWN"
},
"title": "Brokercap Bifrost vulnerable to authentication bypass for admin and monitor user groups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39267",
"datePublished": "2022-10-19T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:45:31.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39219 (GCVE-0-2022-39219)
Vulnerability from nvd – Published: 2022-09-26 13:15 – Updated: 2025-04-22 17:20
VLAI?
Title
Bifrost users using basic authntication can bypass write permission limit
Summary
Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.
Severity ?
8.5 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/brokercap/Bifrost/security/adv… | x_refsource_CONFIRM |
| https://github.com/brokercap/Bifrost/issues/200 | x_refsource_MISC |
| https://github.com/brokercap/Bifrost/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:42.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39219",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:58.960671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:20:25.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bifrost",
"vendor": "brokercap",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.7-release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-26T13:15:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
],
"source": {
"advisory": "GHSA-p6fh-xc6r-g5hw",
"discovery": "UNKNOWN"
},
"title": "Bifrost users using basic authntication can bypass write permission limit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39219",
"STATE": "PUBLIC",
"TITLE": "Bifrost users using basic authntication can bypass write permission limit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bifrost",
"version": {
"version_data": [
{
"version_value": "\u003c 1.8.7-release"
}
]
}
}
]
},
"vendor_name": "brokercap"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw",
"refsource": "CONFIRM",
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"name": "https://github.com/brokercap/Bifrost/issues/200",
"refsource": "MISC",
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"name": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release",
"refsource": "MISC",
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
]
},
"source": {
"advisory": "GHSA-p6fh-xc6r-g5hw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39219",
"datePublished": "2022-09-26T13:15:14.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:20:25.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39267 (GCVE-0-2022-39267)
Vulnerability from cvelistv5 – Published: 2022-10-19 00:00 – Updated: 2025-04-23 16:45
VLAI?
Title
Brokercap Bifrost vulnerable to authentication bypass for admin and monitor user groups
Summary
Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.
Severity ?
8.8 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/brockercap/Bifrost/pull/201"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:40.944004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:45:31.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bifrost",
"vendor": "brokercap",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.8-release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-19T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j"
},
{
"url": "https://github.com/brockercap/Bifrost/pull/201"
}
],
"source": {
"advisory": "GHSA-mxrx-fg8p-5p5j",
"discovery": "UNKNOWN"
},
"title": "Brokercap Bifrost vulnerable to authentication bypass for admin and monitor user groups"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39267",
"datePublished": "2022-10-19T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:45:31.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39219 (GCVE-0-2022-39219)
Vulnerability from cvelistv5 – Published: 2022-09-26 13:15 – Updated: 2025-04-22 17:20
VLAI?
Title
Bifrost users using basic authntication can bypass write permission limit
Summary
Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.
Severity ?
8.5 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/brokercap/Bifrost/security/adv… | x_refsource_CONFIRM |
| https://github.com/brokercap/Bifrost/issues/200 | x_refsource_MISC |
| https://github.com/brokercap/Bifrost/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:42.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39219",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:58.960671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:20:25.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Bifrost",
"vendor": "brokercap",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.7-release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-26T13:15:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
],
"source": {
"advisory": "GHSA-p6fh-xc6r-g5hw",
"discovery": "UNKNOWN"
},
"title": "Bifrost users using basic authntication can bypass write permission limit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39219",
"STATE": "PUBLIC",
"TITLE": "Bifrost users using basic authntication can bypass write permission limit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Bifrost",
"version": {
"version_data": [
{
"version_value": "\u003c 1.8.7-release"
}
]
}
}
]
},
"vendor_name": "brokercap"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw",
"refsource": "CONFIRM",
"url": "https://github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw"
},
{
"name": "https://github.com/brokercap/Bifrost/issues/200",
"refsource": "MISC",
"url": "https://github.com/brokercap/Bifrost/issues/200"
},
{
"name": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release",
"refsource": "MISC",
"url": "https://github.com/brokercap/Bifrost/releases/tag/v1.8.7-release"
}
]
},
"source": {
"advisory": "GHSA-p6fh-xc6r-g5hw",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39219",
"datePublished": "2022-09-26T13:15:14.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:20:25.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}