Improper Authorization in bytebase/bytebase

Valid

Reported on

Feb 2nd 2022


Description

Hello bytebase team, there is an improper privilege management in bytebase source code. This allows a user to view another user inbox.

Proof of Concept

  1. Install bytebase, create new user user1and user2
  2. Login as user1, go to this link /api/inbox?user={user-id} and change user-id to id of user2.
  3. See that user1 can view user2 inbox.

Impact

This vulnerability is capable of allowing a user to view another user inbox.

Occurrences

We are processing your report and will contact the bytebase team within 24 hours. 4 months ago
We have contacted a member of the bytebase team and are waiting to hear back 4 months ago
bytebase/bytebase maintainer validated this vulnerability 4 months ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the bytebase team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the bytebase team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the bytebase team. This report is now considered stale. 3 months ago
bytebase/bytebase maintainer confirmed that a fix has been merged on 4a92f4 3 months ago
The fix bounty has been dropped
inbox.go#L16 has been validated
to join this conversation