admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-05-06 02:31:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
GobyVuls/CVE-2022-3926.md
Goby aaf35fe56a
Create CVE-2022-3926.md 
add CVE-2022-3926
2023-06-09 17:58:46 +08:00

1.4 KiB
Raw Blame History

Bifrost X-Requested-With Authentication Bypass Vulnerability (CVE-2022-39267)

Vulnerability Bifrost X-Requested-With Authentication Bypass Vulnerability (CVE-2022-39267)
Chinese name Bifrost 中间件 X-Requested-With 系统身份认证绕过漏洞CVE-2022-39267
CVSS core 8.8
FOFA Query (click to view the results directly) body="/dologin" && body="Bifrost"
Number of assets affected 14
Description Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.
Impact Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB and Kafka to Redis, MongoDB, ClickHouse and other services for production environments. It can bypass identity authentication by deleting request headers and obtain passwords for various database accounts configured in the environment.