CVE-2022-32169 The Bytebase application does not have a low privilege user access restriction to "admin issues", which can be viewed by any user with low privilege. The affected endpoint is "/issue".

This happens because the “Issue” end point is accessible by “Admin” as well as any other user.

To avoid such situation, we need to restrict the actions that a low privilege user can perform on the low privilege endpoint.

How to Restrict Access to Issue Endpoint

To restrict the actions that a low privilege user can perform on the low privilege endpoint, we need to create an authorization filter.
When a low privilege user tries to access an endpoint protected by the filter, they will be asked for their login credentials (for example, their username and password). If they enter valid login credentials then they will be allowed to do whatever they want on the endpoint (for example, issue an order or review transactions).
If they enter invalid credentials then they will be sent back to the low privilege user interface.

Restricting end point actions

We can restrict the actions that a low privilege user can perform on the low privilege endpoint by giving them a lower privilege end point.
For example, let’s say we want to restrict our “Issue” endpoint so that it can only be accessed by users with the “Admin” role. To do this, we first need to create an object named “Issue-AdminRole” that has the "Admin" role. We then attach this object to our “Issue” endpoint. Then, when someone tries to access the “Issue” endpoint, they will get a 403 status code because they don't have the appropriate privileges for that endpoint.
However, there is another way of doing this, which is by adding an HTTP header instructing browsers not to allow anyone but logged in users to access certain endpoints. This method works well if you're trying to protect your API from unauthenticated users or if you're worried about cross-site scripting vulnerabilities - but it's less flexible and doesn't work in all cases because it requires server-side configuration changes in order for your request headers to be honored.

Draft the new user permission policy

To ensure that the low privilege endpoint is not accessible by any user but only by the low privilege user, we need to implement a permission policy on it.

To draft permission policy for this endpoint (“Issue”), please follow these guidelines:

- If a low privilege user tries to access this endpoint, he receives an error message and his data is not exposed.
- The “Issue” endpoint can be accessed only by users with “Admin” or “Administrator” privileges.

Revoke Access to the Low Privilege Endpoint

Our solution would revokes access to the low privilege endpoint which will avoid this issue.

In order to prevent this issue, we need to restrict the actions that a low privilege user can perform on the low privilege endpoint by revoking access.

Timeline

Published on: 09/28/2022 10:15:00 UTC
Last modified on: 09/28/2022 12:59:00 UTC

References

• https://github.com/bytebase/bytebase/blob/1.0.4/frontend/src/store/modules/issue.ts#L108-#L187
• https://www.mend.io/vulnerability-database/CVE-2022-32169
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32169