Medium

kubeflow

Cross-Site Scripting Vulnerability in Pipelines Artifact Retrieval

A Cross-Site Scripting (XSS) vulnerability was identified in Kubeflow version 1.7.0, specifically within the /pipelines/artifacts/get endpoint. This vulnerability allows for the execution of arbitrary JavaScript code via the 'source' parameter. The issue was not explicitly mentioned as patched in the provided data.

Available publicly on Dec 14 2023

Threat Overview

The vulnerability arises from the application's failure to properly sanitize the 'source' parameter used in the artifact retrieval process of Kubeflow's pipeline feature. An attacker can exploit this by crafting a malicious URL that includes a script tag in the 'source' parameter. When this URL is visited, the script executes within the context of the user's browser session, potentially leading to account hijacking, cookie theft, or browser hijacking.

Attack Scenario

An attacker crafts a malicious URL containing a script in the 'source' parameter and convinces a user to click on it or embeds it in a website visited by the user. When the user's browser processes the request, the script executes, allowing the attacker to perform actions on behalf of the user or steal sensitive information such as session cookies.

Who is affected

Users of Kubeflow version 1.7.0 who interact with the /pipelines/artifacts/get endpoint are at risk, especially if they follow links containing the 'source' parameter from untrusted sources.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.