BIT-vault-2020-16251
cross-site scripting vulnerability in vault (Go)
What is BIT-vault-2020-16251 About?
This vulnerability is a cross-site scripting (XSS) flaw in Apache Airflow versions before 2.10.0, allowing a malicious provider to execute XSS when a user clicks on a provider documentation link. It can lead to arbitrary code execution within the victim's browser. Exploitation requires the installation of a malicious provider and user interaction, making it a conditional risk.
Affected Software
- github.com/hashicorp/vault
- >1.4.0, <1.4.4
- >1.5.0, <1.5.1
- >0.8.3, <1.2.5
- >1.3.0, <1.3.8
Technical Details
The vulnerability originates from a cross-site scripting (XSS) flaw within Apache Airflow. A malicious provider, once installed on the web server, can inject arbitrary scripts into the provider documentation link. When a user with sufficient privileges (e.g., an administrator or other user who can view provider documentation) clicks on this specially crafted documentation link, the injected script is executed within their web browser. This occurs because the application fails to properly sanitize or encode the output when rendering content related to provider documentation, allowing the malicious script to bypass security controls and execute within the context of the user's session.
What is the Impact of BIT-vault-2020-16251?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, steal session tokens or credentials, deface web pages, redirect users to malicious sites, and potentially lead to information disclosure or unauthorized actions on behalf of the victim.
What is the Exploitability of BIT-vault-2020-16251?
Exploitation of this XSS vulnerability is conditional. It requires remote access for the attacker to successfully install a malicious provider on the Airflow web server, which itself implies some level of prior access or compromise. Once installed, user interaction is necessary: a user must specifically click on the malicious provider documentation link. No specific authentication is required from the user during the act of clicking the link if they are already logged into Airflow and have access to view provider documentation. The complexity is moderate, involving both server-side malicious provider deployment and client-side user interaction. Risk factors include lax controls over provider installation and users unknowingly interacting with malicious links.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2020-16251?
Available Upgrade Options
- github.com/hashicorp/vault
- >0.8.3, <1.2.5 → Upgrade to 1.2.5
- github.com/hashicorp/vault
- >1.3.0, <1.3.8 → Upgrade to 1.3.8
- github.com/hashicorp/vault
- >1.4.0, <1.4.4 → Upgrade to 1.4.4
- github.com/hashicorp/vault
- >1.5.0, <1.5.1 → Upgrade to 1.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
- http://packetstormsecurity.com/files/159479/Hashicorp-Vault-GCP-IAM-Integration-Authentication-Bypass.html
- https://www.hashicorp.com/blog/category/vault
- https://github.com/hashicorp/vault
- https://www.hashicorp.com/blog/category/vault/
- https://nvd.nist.gov/vuln/detail/CVE-2020-16251
- https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#151
- https://osv.dev/vulnerability/GHSA-4mp7-2m29-gqxf
What are Similar Vulnerabilities to BIT-vault-2020-16251?
Similar Vulnerabilities: CVE-2023-50164 , CVE-2023-50165 , CVE-2022-44606 , CVE-2022-44607 , CVE-2021-25329
