Описание
Bifrost vulnerable to authentication check flaw that leads to authentication bypass
Impact
The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.
Patches
https://github.com/brockercap/Bifrost/pull/201
Workarounds
Upgrade to the latest version
Пакеты
github.com/brokercap/Bifrost
< 1.8.7-release
1.8.7-release
Связанные уязвимости
Bifrost is a heterogeneous middleware that synchronizes MySQL, MariaDB to Redis, MongoDB, ClickHouse, MySQL and other services for production environments. Versions prior to 1.8.8-release are subject to authentication bypass in the admin and monitor user groups by deleting the X-Requested-With: XMLHttpRequest field in the request header. This issue has been patched in 1.8.8-release. There are no known workarounds.
Уязвимость программного средства синхронизации без данных Bifrost, связанная с недостатками процедуры аутентификации, позволяющая нарушителю повысить свои привилегии