Cross-Site Scripting Vulnerability in Pipelines Artifact Retrieval
A Cross-Site Scripting (XSS) vulnerability was identified in Kubeflow version 1.7.0, specifically within the /pipelines/artifacts/get endpoint. This vulnerability allows for the execution of arbitrary JavaScript code via the 'source' parameter. The issue was not explicitly mentioned as patched in the provided data.
Available publicly on Dec 14 2023
Remediation Steps
- Update Kubeflow to a version where this vulnerability is patched.
- Implement proper input validation and output encoding for all parameters accepted by the server to prevent XSS attacks.
- Employ Content Security Policy (CSP) headers to reduce the risk of XSS.
- Educate users on the risks of clicking on unknown links and the importance of using updated software.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.