Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cGhoLXIzN3YtMzR3aM4AA1SQ
lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files
Impact
The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in.
An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations while impersonating the victim.
Note that to carry out this attack, an attacker must already have access to upload the malicious HTML file to one or more repositories. It also depends on the victim receiving and opening the link to the malicious HTML file.
Patches
This is fixed in lakeFS version 0.106.0
Workarounds
There are no known workarounds at this time.
Permalink: https://github.com/advisories/GHSA-9phh-r37v-34whJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cGhoLXIzN3YtMzR3aM4AA1SQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 5.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-9phh-r37v-34wh
References:
- https://github.com/treeverse/lakeFS/security/advisories/GHSA-9phh-r37v-34wh
- https://github.com/treeverse/lakeFS/commit/2b2a9fa156ad80b0aac043e17533b546b1800603
- https://github.com/treeverse/lakeFS/releases/tag/v0.106.0
- https://github.com/advisories/GHSA-9phh-r37v-34wh
Blast Radius: 0.0
Affected Packages
go:github.com/treeverse/lakefs
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.106.0
Fixed in: 0.106.0
All affected versions: 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.22.0, 0.22.1, 0.23.0, 0.23.1, 0.30.0, 0.31.0, 0.31.1, 0.31.2, 0.32.0, 0.32.1, 0.33.0, 0.33.1, 0.40.0, 0.40.1, 0.40.2, 0.40.3, 0.41.0, 0.41.1, 0.42.0, 0.43.0, 0.44.0, 0.44.1, 0.45.0, 0.45.1, 0.46.0, 0.47.0, 0.48.0, 0.48.1, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.52.2, 0.53.0, 0.53.1, 0.54.0, 0.55.0, 0.56.0, 0.57.0, 0.57.1, 0.57.2, 0.58.0, 0.58.1, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.62.0, 0.63.0, 0.64.0, 0.65.0, 0.66.0, 0.67.0, 0.68.0, 0.69.0, 0.69.1, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.70.5, 0.70.6, 0.80.0, 0.80.1, 0.80.2, 0.82.0, 0.83.0, 0.83.2, 0.83.3, 0.83.4, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.87.1, 0.88.0, 0.89.0, 0.90.0, 0.90.1, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.94.1, 0.95.0, 0.96.0, 0.96.1, 0.97.0, 0.97.1, 0.97.2, 0.97.3, 0.97.4, 0.97.5, 0.97.6, 0.97.66, 0.97.999, 0.98.0, 0.99.0, 0.99.1, 0.100.0, 0.101.0, 0.101.1, 0.102.0, 0.102.1, 0.102.2, 0.103.0, 0.104.0, 0.105.0
All unaffected versions: 0.106.0, 0.106.1, 0.106.2, 0.107.0, 0.107.1, 0.108.0, 0.109.0, 0.110.0, 0.111.0, 0.111.1, 0.112.0, 0.112.1, 0.113.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0