GHSA-9phh-r37v-34wh – github.com/treeverse/lakefs

Package

Manager: go
Name: github.com/treeverse/lakefs
Vulnerable Version: >=0 <0.106.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: N/A pctlN/A

Details

lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files ### Impact The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations while impersonating the victim. Note that to carry out this attack, an attacker must already have access to upload the malicious HTML file to one or more repositories. It also depends on the victim receiving and opening the link to the malicious HTML file. ### Patches This is fixed in lakeFS version 0.106.0 ### Workarounds There are no known workarounds at this time.

Metadata

Created: 2023-08-14T21:10:17Z
Modified: 2023-08-14T21:10:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9phh-r37v-34wh/GHSA-9phh-r37v-34wh.json
CWE IDs: []
Alternative ID: N/A
Finding: F425
Auto approve: 1