4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-32170

GHSA ID

GHSA-9mmc-27gw-w6mq

EPSS Score

0.38961%

CWE

CWE-285

Published

9/29/2022

Updated

4/24/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-32170

CVE-2022-32170: Bytebase allows low-privilege users to view admin projects

Overview

The "Bytebase" application does not restrict low privilege user from accessing admin projects

Details

The "Bytebase" application does not restrict low privilege user from accessing admin projects for which an unauthorized user can view the "projects" created by "Admin". The affected endpoint is /api/project?user=${userId}.

PoC

Log in to the application as both "Admin" (admin@example.com:admin) and Developer "User" (user@admin.com:user) and then click on "Projects".
Now open "Burp suite" and turn "Intercept on" and from "admin" dashboard click on "projects" and see the "user id" of "admin" in the capture request.
Note the "user id" and "Forward" the request and again capture the request of "projects" from the "user" dashboard and change "user id" to "admin user id" and "Forward" the request.
Now "user" can see the "projects" created by "admin".

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-32170

CVE-2022-32170:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-32170

GHSA ID

GHSA-9mmc-27gw-w6mq

EPSS Score

0.38961%

CWE

CWE-285

Published

9/29/2022

Updated

4/24/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bytebase/bytebase	go	>= 0.1.0, <= 1.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the frontend's project store module where the fetchProjectListByUser function directly uses user-controlled userId parameters in API requests. The code shows the endpoint is constructed as /api/project?user=${userId} without server-side validation of the requesting user's permissions to access projects for that specific userId. This matches the PoC where modifying the userId parameter exposes admin projects, indicating missing authorization checks in the associated backend/frontend interaction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-32170: Bytebase allows low-privilege users to view admin projects

Overview

Details

PoC

CVE-2022-32170:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2022-32170: Bytebase allows low-privilege users to view admin projects

Overview

Details

PoC

4.3

4.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI