CVE-2024-2435 - OpenCVE

For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal. Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/temporalio/ui-server/releases/tag/v2.25.0

History

No history.

MITRE

Status: PUBLISHED

Assigner: Temporal

Published: 2024-04-02T16:40:24.552Z

Updated: 2024-08-01T19:11:53.568Z

Reserved: 2024-03-13T17:29:42.211Z

Link: CVE-2024-2435

Vulnrichment

Updated: 2024-08-01T19:11:53.568Z

NVD

Status : Awaiting Analysis

Published: 2024-04-02T17:15:46.610

Modified: 2024-04-02T18:12:16.283

Link: CVE-2024-2435

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2435", "assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968", "state": "PUBLISHED", "assignerShortName": "Temporal", "dateReserved": "2024-03-13T17:29:42.211Z", "datePublished": "2024-04-02T16:40:24.552Z", "dateUpdated": "2024-08-01T19:11:53.568Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://hub.docker.com/r/temporalio/ui", "defaultStatus": "unaffected", "modules": ["Timeline view"], "packageName": "temporalio/ui", "product": "ui-server", "repo": "https://github.com/temporalio/ui-server", "vendor": "Temporal OSS", "versions": [{"lessThan": "2.25.0", "status": "affected", "version": "2.16.2", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.<br>Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).<br>"}], "value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.\nAccess to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).\n"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "61241ed8-fa44-4f23-92db-b8c443751968", "shortName": "Temporal", "dateUpdated": "2024-04-02T16:40:24.552Z"}, "references": [{"tags": ["release-notes"], "url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS in Timeline View", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-02T18:46:48.461273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:30:46.501Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.568Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0", "tags": ["release-notes", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.568Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-02T18:46:48.461273Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:21.339Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Stored XSS in Timeline View", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/temporalio/ui-server", "vendor": "Temporal OSS", "modules": ["Timeline view"], "product": "ui-server", "versions": [{"status": "affected", "version": "2.16.2", "lessThan": "2.25.0", "versionType": "semver"}], "packageName": "temporalio/ui", "collectionURL": "https://hub.docker.com/r/temporalio/ui", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.\nAccess to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).\n", "supportingMedia": [{"type": "text/html", "value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.<br>Access to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "61241ed8-fa44-4f23-92db-b8c443751968", "shortName": "Temporal", "dateUpdated": "2024-04-02T16:40:24.552Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2435", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:11:53.568Z", "dateReserved": "2024-03-13T17:29:42.211Z", "assignerOrgId": "61241ed8-fa44-4f23-92db-b8c443751968", "datePublished": "2024-04-02T16:40:24.552Z", "assignerShortName": "Temporal"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "For an attacker with pre-existing access to send a signal to a workflow, the attacker can make the signal name a script that executes when a victim views that signal. The XSS is in the timeline page displaying the workflow execution details of the workflow that was sent the crafted signal.\nAccess to send a signal to a workflow is determined by how you configured the authorizer on your server. This includes any entity with permission to directly call SignalWorkflowExecution or SignalWithStartWorkflowExecution, or any entity can deploy a worker that has access to call workflow progress APIs (specifically RespondWorkflowTaskCompleted).\n"}, {"lang": "es", "value": "Para que un atacante con acceso preexistente env\u00ede una se\u00f1al a un flujo de trabajo, el atacante puede hacer que la se\u00f1al nombre un script que se ejecute cuando una v\u00edctima vea esa se\u00f1al. El XSS se encuentra en la p\u00e1gina de la l\u00ednea de tiempo y muestra los detalles de ejecuci\u00f3n del flujo de trabajo al que se envi\u00f3 la se\u00f1al dise\u00f1ada. El acceso para enviar una se\u00f1al a un flujo de trabajo est\u00e1 determinado por c\u00f3mo configur\u00f3 el autorizador en su servidor. Esto incluye cualquier entidad con permiso para llamar directamente a SignalWorkflowExecution o SignalWithStartWorkflowExecution, o cualquier entidad que pueda implementar un trabajador que tenga acceso para llamar a las API de progreso del flujo de trabajo (espec\u00edficamente RespondWorkflowTaskCompleted)."}], "id": "CVE-2024-2435", "lastModified": "2024-04-02T18:12:16.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "security@temporal.io", "type": "Secondary"}]}, "published": "2024-04-02T17:15:46.610", "references": [{"source": "security@temporal.io", "url": "https://github.com/temporalio/ui-server/releases/tag/v2.25.0"}], "sourceIdentifier": "security@temporal.io", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@temporal.io", "type": "Secondary"}]}