Описание
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3
A flaw was found in nodejs-vega. An attacker, using a specially crafted Vega expression, could execute a cross-side scripting attack on a victim's machine allowing them to execute arbitrary JavaScript. The highest threat from this vulnerability is to data confidentiality and integrity.
Отчет
In OpenShift Container Platform 4 (OCP) the openshift4/ose-logging-kibana6 container does package a vulnerable version of the vega library. However, for an attacker to successfully perform a reflected XSS attack an existing visualization must already exist and the details known to the attacker, as the visualization ID must be referenced. Given this and to perform a stored XSS attack higher privileges are required, the impact has been set to Moderate.
Меры по смягчению последствий
For Kibana which does contain the dependency vega, it is possible to turn of vega visualizations with vega.enabled: false in the kibana.yml
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-kibana6 | Will not fix |
Показывать по
Дополнительная информация
Статус:
8.7 High
CVSS3
Связанные уязвимости
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3
Vega is a visualization grammar, a declarative format for creating, sa ...
8.7 High
CVSS3