CVE-2022-32170: Improper Authorization

September 28, 2022 (updated November 7, 2023)

The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.

References

github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/project.ts
nvd.nist.gov/vuln/detail/CVE-2022-32170
www.mend.io/vulnerability-database/CVE-2022-32170

Detect and mitigate CVE-2022-32170 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →