Access Restriction Bypass Affecting @budibase/worker package, versions <1.3.20


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (24th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access Restriction Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-BUDIBASEWORKER-5819557
  • published4 Aug 2023
  • disclosed17 Sept 2022
  • creditBreno Vitório

Introduced: 17 Sep 2022

CVE-2022-3225  (opens in a new tab)
CWE-284  (opens in a new tab)
CWE-913  (opens in a new tab)

How to fix?

Upgrade @budibase/worker to version 1.3.20 or higher.

Overview

@budibase/worker is a Budibase background service

Affected versions of this package are vulnerable to Access Restriction Bypass. Whenever an admin invites people to be in their tenant, there's a risk that one of these app users change their own role to admin and then make the original admin a simple app user, being now capable of doing anything they would want to, including destroy all of a tenant apps or change their content to something else.

CVSS Scores

version 3.1