CVE-2022-38790 Weave GitOps Enterprise has a cross-site scripting bug that allows a malicious user to inject a javascript: link that will execute with the victim user's permission.
The link is then copied and pasted into a Weave GitOps Enterprise annotation to link to a custom resource. An annotation editor field can then be used to add a script. This results in the UI being vulnerable to XSS. The XSS can be exploited to inject arbitrary script code into GitOps Enterprise, which can be used by an attacker to, for example, take over the user or craft a phishing email to get access to GitOps Enterprise. A similar issue could be exploited to inject arbitrary script code into the UI of other similar applications that allow to link to custom resources via annotations. This issue has been in Weave for two years. Previous versions of Weave GitOps Enterprise were not vulnerable. Weave GitOps Enterprise 0.9.0-rc.5 and earlier is vulnerable.
Impact Weave GitOps Enterprise is widely used in enterprises. An attacker could craft a phishing email, for example, to trick an employee into installing the malicious software. The attacker could then exploit this XSS to gain access to the GitOps Enterprise user account. Any user who has a vulnerable custom resource linked to their GitOps Enterprise can be exploited. The XSS can also be exploited to craft a phishing email to users of other similar UIs.
References: CVE-2022-38790
https://weave.works/blog/2018/03/13/security-advisory-xss-injection-in-gitops-enterprise
https://www.sophos.com/en-us/support/knowledgebase/81432.aspx
How to achieve the XSS in Weave GitOps Enterprise
First, an attacker would need to convince a user to install the malicious software. For example, an attacker could lure the user into clicking on a link that appears as if it is from their employer. The malicious software could be delivered via email like any other malware.
Next, they would need to get the URL of their custom resource (which can be found in Weave GitOps Enterprise by clicking on the 'Resources' tab). A script can then be used to inject the XSS into the UI.
Finally, they would need to leverage this XSS to access personal data or login credentials for the GitOps Enterprise user account.
Mitigation Strategies
The XSS can be mitigated by not linking custom resources to the GitOps Enterprise UI.
Timeline
Published on: 09/01/2022 13:15:00 UTC
Last modified on: 09/07/2022 17:06:00 UTC
References
- https://docs.gitops.weave.works/docs/intro
- https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.html
- https://www.weave.works/product/gitops-enterprise/
- https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profiles-and-clusters
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38790