Lucene search

Veracode Vulnerability DatabaseVERACODE:41291

HistoryJul 14, 2023 - 9:41 a.m.

Cross-Site Scripting (XSS)

2023-07-1409:41:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

github

jaeger

gloo-jaeger-ui

keyvaluestable

javascript

security vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

38.2%

JSON

github.com/jaegertracing/jaeger and gloo-jaeger-ui are vulnerable to Cross-Site Scripting (XSS) attacks. The vulnerability is triggered when rendering key-value tables in jaeger UI using the KeyValuesTable component, which allows an attacker to inject and execute malicious javascript on a victim’s browser.

CPENameOperatorVersion
github.com/jaegertracing/jaegerlev1.46.0
gloo-jaeger-uile1.30.0
github.com/jaegertracing/jaegerlev1.46.0
gloo-jaeger-uile1.30.0

Name	Operator	Version
github.com/jaegertracing/jaeger	le	v1.46.0
gloo-jaeger-ui	le	1.30.0
github.com/jaegertracing/jaeger	le	v1.46.0
gloo-jaeger-ui	le	1.30.0

References

github.com/advisories/GHSA-2w8w-qhg4-f78j

github.com/jaegertracing/jaeger-ui/blob/v1.31.0/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49

github.com/jaegertracing/jaeger-ui/commit/7df099cb5a91c6ce296d234f290823557db9bf2c

github.com/jaegertracing/jaeger-ui/pull/1498

github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r

github.com/mafintosh/json-markup/pull/15