Vulnerability Description
Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluster dashboard link. An annotation can be added to a GitopsCluster custom resource.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Weave.Works | Gitops | < 0.9.0 |
Related Weaknesses (CWE)
References
- https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profileProductVendor Advisory
- https://docs.gitops.weave.works/docs/introProductVendor Advisory
- https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.htmExploitPatchVendor Advisory
- https://www.weave.works/product/gitops-enterprise/ProductVendor Advisory
- https://docs.gitops.weave.works/docs/cluster-management/getting-started/#profileProductVendor Advisory
- https://docs.gitops.weave.works/docs/introProductVendor Advisory
- https://docs.gitops.weave.works/security/cve/enterprise/CVE-2022-38790/index.htmExploitPatchVendor Advisory
- https://www.weave.works/product/gitops-enterprise/ProductVendor Advisory
FAQ
What is CVE-2022-38790?
CVE-2022-38790 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute ...
How severe is CVE-2022-38790?
CVE-2022-38790 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-38790?
Check the references section above for vendor advisories and patch information. Affected products include: Weave.Works Gitops.