GMS-2023-1838: lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files
Impact
The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make arbitrary HTTP requests. This would allow the attacker to send information to a random domain or carry out lakeFS operations while impersonating the victim.
Note that to carry out this attack, an attacker must already have access to upload the malicious HTML file to one or more repositories. It also depends on the victim receiving and opening the link to the malicious HTML file.
Patches
This is fixed in lakeFS version 0.106.0
Workarounds
There are no known workarounds at this time.
References
Code Behaviors & Features
Detect and mitigate GMS-2023-1838 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →