GHSA-9phh-r37v-34wh: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-9phh-r37v-34wh

lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files

Moderate severity GitHub Reviewed Published Aug 14, 2023 in treeverse/lakeFS • Updated Aug 14, 2023

Package

gomod github.com/treeverse/lakefs (Go)

Affected versions

< 0.106.0

Impact

The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in.
An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations while impersonating the victim.

Note that to carry out this attack, an attacker must already have access to upload the malicious HTML file to one or more repositories. It also depends on the victim receiving and opening the link to the malicious HTML file.

Patches

This is fixed in lakeFS version 0.106.0

Workarounds

There are no known workarounds at this time.

References

• GHSA-9phh-r37v-34wh
• treeverse/lakeFS@2b2a9fa
• https://github.com/treeverse/lakeFS/releases/tag/v0.106.0

Published to the GitHub Advisory Database

Aug 14, 2023

Last updated

Aug 14, 2023