CVE-2022-39350 - Cross-Site Scripting (XSS) Vulnerability in Dependency-Track Frontend

The CVE-2022-39350 vulnerability affects the Dependency-Track frontend, an open source Component Analysis platform used by organizations to identify and reduce risks in their software supply chain. This vulnerability allows for Cross-Site Scripting (XSS) attacks due to unsafe rendering of markdown text using the Showdown JavaScript library. We'll discuss the details of this vulnerability, potential risks, and mitigation actions.

Details

Dependency-Track, an open source Component Analysis platform, is commonly used by organizations to identify and reduce risks within their software supply chain. The frontend of Dependency-Track, known as @dependencytrack/frontend, is a Single Page Application (SPA) that is vulnerable to XSS attacks.

The vulnerability, titled CVE-2022-39350, affects versions of @dependencytrack/frontend before 4.6.1. It arises from the use of the Showdown JavaScript library for rendering markdown text without encoding or sanitizing the output. Showdown lacks built-in XSS countermeasure, making it susceptible to execute arbitrary JavaScript code provided in HTML attributes.

Actors with the VULNERABILITY_MANAGEMENT permission can exploit this vulnerability by creating or editing a custom vulnerability containing XSS payloads in the following fields: Description, Details, Recommendation, or References. The payload is then executed for users with the VIEW_PORTFOLIO permission when they visit the modified vulnerability's page.

Although it is possible for malicious actors to introduce harmful JavaScript via vulnerability databases mirrored by Dependency-Track, this attack vector is unlikely and has not been observed by Dependency-Track's maintainers. The Vulnerability Details element of the Audit Vulnerabilities tab in the project view remains unaffected.

Resolution

Developers have patched the issue in version 4.6.1 of the Dependency-Track frontend. Users are advised to update to 4.6.1 to mitigate potential XSS attacks.

For additional information about Dependency-Track and the vulnerable frontend library, refer to the following resources:

- Dependency-Track: https://dependencytrack.org/
- Dependency-Track Frontend: https://github.com/DependencyTrack/frontend/

Here's a code snippet demonstrating how an XSS payload could be crafted

Custom Vulnerability Description:
[Click here for more details](javascript:alert('XSS') "test")

By inserting this payload in the Description field of a custom vulnerability, users with the VIEW_PORTFOLIO permission would trigger the JavaScript alert when they click on the "Click here for more details" link.

Stay vigilant and keep your software up-to-date to minimize the potential impact of such vulnerabilities.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:24:00 UTC