bytebase - Improper Authorization

Vulnerability

Description

The vulnerability in Bytebase, an open-source database DevOps tool, allows low privilege users to access projects created by administrators. The affected endpoint is /api/project?user=${userId}, which does not enforce appropriate access controls. This means that an unprivileged user can enumerate or view projects that should be restricted to admin roles [1].

Attack

Vector

To exploit this vulnerability, an attacker must have a valid low privilege account in Bytebase. The attacker can then craft requests to the /api/project?user=${userId} endpoint, substituting different userId parameters to list or view admin projects. The attack does not require any additional authentication bypass, as the endpoint lacks proper authorization checks for low privilege users [1]. The lack of restriction is evident in the code handling project listing, as seen in the frontend store logic [3].

Impact

An attacker with low privilege access can gain visibility into sensitive project information, including potentially confidential database schemas, configurations, and other operational data that the admin projects contain. This could lead to further targeted attacks or data exposure within the organization's database management workflows. The vulnerability undermines the platform's stated access control and RBAC capabilities [2].

Mitigation

Users should upgrade to a patched version of Bytebase as soon as it becomes available. The Bytebase project maintainers have been notified and a fix is expected. As of the publication date, no workaround is available [1][4].