GHSA-9phh-r37v-34wh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9phh-r37v-34wh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9phh-r37v-34wh/GHSA-9phh-r37v-34wh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9phh-r37v-34wh
- Aliases
- Published
- 2023-08-14T21:10:17Z
- Modified
- 2024-08-21T14:42:36.916532Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files
- Details
-
Impact
The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in.
An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations while impersonating the victim.Note that to carry out this attack, an attacker must already have access to upload the malicious HTML file to one or more repositories. It also depends on the victim receiving and opening the link to the malicious HTML file.
Patches
This is fixed in lakeFS version 0.106.0
Workarounds
There are no known workarounds at this time.
- Database specific
{ "nvd_published_at": null, "github_reviewed": true, "github_reviewed_at": "2023-08-14T21:10:17Z", "severity": "MODERATE", "cwe_ids": [] }- References
Affected packages
Go / github.com/treeverse/lakefs
Package
- Name
- github.com/treeverse/lakefs
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/treeverse/lakefs