CVE-2022-32170 - OpenCVE

The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bytebase	Bytebase

Configuration 1 [-]

cpe:2.3:a:bytebase:bytebase:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197
https://www.mend.io/vulnerability-database/CVE-2022-32170

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-09-28T09:30:18.081795Z

Updated: 2024-09-16T17:03:20.651Z

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32170

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-28T10:15:09.740

Modified: 2023-11-07T03:47:44.620

Link: CVE-2022-32170

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "bytebase", "vendor": "bytebase", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0.1.0", "versionType": "custom"}, {"lessThanOrEqual": "1.0.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "The \u201cBytebase\u201d application does not restrict low privilege user to access admin \u201cprojects\u201c for which an unauthorized user can view the \u201cprojects\u201c created by \u201cAdmin\u201d and the affected endpoint is \u201c/api/project?user=${userId}\u201d."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-28T09:30:17", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32170"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "bytebase - Improper Authorization", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Sep 21, 2022, 12:00:00 AM", "ID": "CVE-2022-32170", "STATE": "PUBLIC", "TITLE": "bytebase - Improper Authorization"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "bytebase", "version": {"version_data": [{"version_affected": ">=", "version_value": "0.1.0"}, {"version_affected": "<=", "version_value": "1.0.4"}]}}]}, "vendor_name": "bytebase"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The \u201cBytebase\u201d application does not restrict low privilege user to access admin \u201cprojects\u201c for which an unauthorized user can view the \u201cprojects\u201c created by \u201cAdmin\u201d and the affected endpoint is \u201c/api/project?user=${userId}\u201d."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-285 Improper Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.mend.io/vulnerability-database/CVE-2022-32170", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-32170"}, {"name": "https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197", "refsource": "MISC", "url": "https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197"}]}, "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.023Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-32170"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts#L166-L197"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-32170", "datePublished": "2022-09-28T09:30:18.081795Z", "dateReserved": "2022-05-31T00:00:00", "dateUpdated": "2024-09-16T17:03:20.651Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}