Bytebase allows low-privilege users to view admin projects
Moderate severity
GitHub Reviewed
Published
Sep 29, 2022
to the GitHub Advisory Database
•
Updated Apr 24, 2024
Package
Affected versions
>= 0.1.0, <= 1.0.4
Patched versions
None
Description
Published by the National Vulnerability Database
Sep 28, 2022
Published to the GitHub Advisory Database
Sep 29, 2022
Reviewed
Apr 24, 2024
Last updated
Apr 24, 2024
Overview
The "Bytebase" application does not restrict low privilege user from accessing admin projects
Details
The "Bytebase" application does not restrict low privilege user from accessing admin projects for which an unauthorized user can view the "projects" created by "Admin". The affected endpoint is
/api/project?user=${userId}
.PoC
admin@example.com:admin
) and Developer "User" (user@admin.com:user
) and then click on "Projects".References