Impact
The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed.
Patches
https://github.com/brockercap/Bifrost/pull/201
Workarounds
Upgrade to the latest version
References
- https://github.com/brokercap/Bifrost/security/advisories/GHSA-mxrx-fg8p-5p5j
- https://github.com/brockercap/Bifrost/pull/201
- https://github.com/brokercap/Bifrost/commit/63da5c8eb7eb21639ea7ac199fe10b5e07b03a8a
- https://nvd.nist.gov/vuln/detail/CVE-2022-39267
- https://github.com/advisories/GHSA-mxrx-fg8p-5p5j