Vulnerability Description
Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xbifrost | Bifrost | <= 1.8.6 |
Related Weaknesses (CWE)
References
- https://github.com/brockercap/Bifrost/pull/201Broken Link
- https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5jPatchThird Party Advisory
- https://github.com/brockercap/Bifrost/pull/201Broken Link
- https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5jPatchThird Party Advisory
FAQ
What is CVE-2022-39267?
CVE-2022-39267 is a vulnerability with a CVSS score of 8.8 (HIGH). Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject ...
How severe is CVE-2022-39267?
CVE-2022-39267 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39267?
Check the references section above for vendor advisories and patch information. Affected products include: Xbifrost Bifrost.