CVE-2022-39219: Incorrect Permission Assignment for Critical Resource

September 26, 2022 (updated July 11, 2023)

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior is vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.

References

github.com/brokercap/Bifrost/issues/200
github.com/brokercap/Bifrost/releases/tag/v1.8.7-release
github.com/brokercap/Bifrost/security/advisories/GHSA-p6fh-xc6r-g5hw
nvd.nist.gov/vuln/detail/CVE-2022-39219

Detect and mitigate CVE-2022-39219 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →