admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-08-05 01:01:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2022-3926.md

Browse Source 
add CVE-2022-3926
This commit is contained in:
Goby 2023-06-09 17:58:46 +08:00 committed by GitHub
parent 3025991a2e
commit aaf35fe56a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CVE-2022-3926.md Normal file
View File

@ -0,0 +1,12 @@
## Bifrost X-Requested-With Authentication Bypass Vulnerability (CVE-2022-39267)
| **Vulnerability** | **Bifrost X-Requested-With Authentication Bypass Vulnerability (CVE-2022-39267)** |
| :----: | :-----|
| **Chinese name** | Bifrost 中间件 X-Requested-With 系统身份认证绕过漏洞CVE-2022-39267 |
| **CVSS core** | 8.8 |
| **FOFA Query** (click to view the results directly)| [body="/dologin" && body="Bifrost"](https://en.fofa.info/result?qbase64=Ym9keT0iL2RvbG9naW4iICYmIGJvZHk9IkJpZnJvc3Qi) |
| **Number of assets affected** | 14 |
| **Description** | Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds. |
| **Impact** | Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB and Kafka to Redis, MongoDB, ClickHouse and other services for production environments. It can bypass identity authentication by deleting request headers and obtain passwords for various database accounts configured in the environment. |
![](https://s3.bmp.ovh/imgs/2023/06/09/5d975955f9fd76d9.gif)