CVE-2022-39350

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

@dependencytrack/frontend is a Single Page Application (SPA) used in Dependency-Track, an open source Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: Description, Details, Recommendation, or References. The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerability's page. Alternatively, malicious JavaScript could be introduced via any of the vulnerability databases mirrored by Dependency-Track. However, this attack vector is highly unlikely, and the maintainers of Dependency-Track are not aware of any occurrence of this happening. Note that the `Vulnerability Details` element of the `Audit Vulnerabilities` tab in the project view is not affected. The issue has been fixed in frontend version 4.6.1.

dependencytrack/frontend es una aplicación de página única (SPA) usada en Dependency-Track, una plataforma de análisis de componentes de código abierto que permite a las organizaciones identificar y reducir el riesgo en la cadena de suministro de software. Debido a la práctica común de proporcionar detalles de vulnerabilidad en formato markdown, el frontend de Dependency-Track los renderiza usando la biblioteca JavaScript Showdown. Showdown no presenta ninguna contramedida de tipo XSS incorporada, y Las versiones anteriores a 4.6.1 del frontend Dependency-Track no codificaban ni saneaban la salida de Showdown. Esto hacía posible que el JavaScript arbitrario incluido en los detalles de la vulnerabilidad por medio de atributos HTML es ejecutadora en el contexto del frontend. Los actores con el permiso "VULNERABILITY_MANAGEMENT" pueden explotar esta debilidad al crear o editar una vulnerabilidad personalizada y proporcionando cargas útiles de tipo XSS en cualquiera de los siguientes campos: Description, Details, Recommendation, o References. La carga útil es ejecutada para usuarios con el permiso "VIEW_PORTFOLIO" cuando naveguen a la página de la vulnerabilidad modificada. Alternativamente, el JavaScript malicioso podría ser introducido por medio de cualquiera de las bases de datos de vulnerabilidades reflejadas por Dependency-Track. Sin embargo, este vector de ataque es altamente improbable, y los mantenedores de Dependency-Track no presentan conocimiento de que esto ocurra. Tenga en cuenta que el elemento "Detalles de la vulnerabilidad" de la pestaña "Auditoría de vulnerabilidades" en la vista del proyecto no está afectado. El problema ha sido corregido en versión 4.6.1 del frontend

*Credits: N/A

CVSS Scores

NISTv3.1 5.4

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-25 CVE Published
2024-08-03 CVE Updated
2024-09-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://docs.dependencytrack.org/changelog	Release Notes
https://github.com/DependencyTrack/frontend/security/advisories/GHSA-c33w-pm52-mqvf	Third Party Advisory
https://github.com/showdownjs/showdown/wiki/Markdown%27s-XSS-Vulnerability-%28and-how-to-mitigate-it%29

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Owasp Search vendor "Owasp"		Dependency-track Frontend Search vendor "Owasp" for product "Dependency-track Frontend"				< 4.6.1 Search vendor "Owasp" for product "Dependency-track Frontend" and version " < 4.6.1"		-		Affected