Описание
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use vega in an application that attaches both vega library and a vega.View instance similar to the Vega Editor to the global window, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega JSON definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in vega-selections@6.1.2 (requires ESM) for Vega v6 and vega-selections@5.6.3 (no ESM needed) for Vega v5. As a workaround, do not attach vega or vega.View instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties.
A flaw was found in Vega, a library used for creating interactive data visualizations. This vulnerability affects applications that expose the Vega library globally and process user-provided visualization definitions. A remote attacker could exploit this by convincing a user to open a specially crafted Vega specification. Successful exploitation allows the attacker to execute unauthorized code within the application, potentially leading to the theft of sensitive data or manipulation of information.
Отчет
This vulnerability is rated Important for Red Hat products. It affects applications that expose the Vega library globally and process user-provided visualization definitions, such as JupyterLab in Fedora and EPEL, and certain cloud.redhat.com services. Exploitation requires user interaction with a malicious Vega specification.
Меры по смягчению последствий
To mitigate this issue, applications using the Vega library should avoid attaching vega or vega.View instances to global variables or the window object in production environments. This practice is intended for development and debugging only and should not be used when processing untrusted Vega specifications.
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaSc...
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScrip
Vega is a visualization grammar, a declarative format for creating, sa ...
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
EPSS
8.1 High
CVSS3