4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32170

GHSA ID

GHSA-9mmc-27gw-w6mq

EPSS Score

0.25548%

CWE

CWE-285

Published

9/29/2022

Updated

4/24/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-32170

CVE-2022-32170: Bytebase allows low-privilege users to view admin projects

Overview

The "Bytebase" application does not restrict low privilege user from accessing admin projects

Details

The "Bytebase" application does not restrict low privilege user from accessing admin projects for which an unauthorized user can view the "projects" created by "Admin". The affected endpoint is /api/project?user=${userId}.

PoC

Log in to the application as both "Admin" (admin@example.com:admin) and Developer "User" (user@admin.com:user) and then click on "Projects".
Now open "Burp suite" and turn "Intercept on" and from "admin" dashboard click on "projects" and see the "user id" of "admin" in the capture request.
Note the "user id" and "Forward" the request and again capture the request of "projects" from the "user" dashboard and change "user id" to "admin user id" and "Forward" the request.
Now "user" can see the "projects" created by "admin".

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-32170

GHSA ID

GHSA-9mmc-27gw-w6mq

EPSS Score

0.25548%

CWE

CWE-285

Published

9/29/2022

Updated

4/24/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bytebase/bytebase	go	>= 0.1.0, <= 1.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the frontend's project store module where the fetchProjectListByUser function directly uses user-controlled userId parameters in API requests. The code shows the endpoint is constructed as /api/project?user=${userId} without server-side validation of the requesting user's permissions to access projects for that specific userId. This matches the PoC where modifying the userId parameter exposes admin projects, indicating missing authorization checks in the associated backend/frontend interaction.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w T** "*yt***s*" *ppli**tion *o*s not r*stri*t low privil*** us*r *rom ****ssin* **min proj**ts ### **t*ils T** "*yt***s*" *ppli**tion *o*s not r*stri*t low privil*** us*r *rom ****ssin* **min proj**ts *or w*i** *n un*ut*oriz** us*r **n v

Reasoning

T** vuln*r**ility st*ms *rom t** *ront*n*'s proj**t stor* mo*ul* w**r* t** **t**Proj**tList*yUs*r *un*tion *ir**tly us*s us*r-*ontroll** us*rI* p*r*m*t*rs in *PI r*qu*sts. T** *o** s*ows t** *n*point is *onstru*t** *s `/*pi/proj**t?us*r=${us*rI*}` wi

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-32170: Bytebase allows low-privilege users to view admin projects

Overview

Details

PoC

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI