CVE-2023-32192

Name of the Vulnerable Software and Affected Versions API Server versions prior to the patched versions, including master, release/v2.8, release/v2.8.s3, release/v2.7, release/v2.7.s3, and release/v2.6, with specific commits: 4fd7d82, 69b3c2b, a3b9e37, 4e102cf, 97a10a3, and 4df268e.

Description A vulnerability has been identified in the API Server's public API endpoint, allowing unauthenticated cross-site scripting (XSS) to be exploited. This enables an attacker to execute arbitrary JavaScript code in the victim's browser. The attack vector is a Reflected XSS, where the API Server propagates malicious payloads from user input to the UI, rendering the output. For example, a malicious URL can be rendered into a script that is executed on a page.

Recommendations To resolve the issue, update the API Server to a patched version, including the specific commits: 4fd7d82, 69b3c2b, a3b9e37, 4e102cf, 97a10a3, and 4df268e, for the respective branches: master, release/v2.8, release/v2.8.s3, release/v2.7, release/v2.7.s3, and release/v2.6. As a temporary workaround, consider restricting access to the API Server's public API endpoint until a patch is applied. Additionally, consider encoding input that comes from the request URL before adding it to the response, and escaping the request input by changing the URL construction to use url.URL and escaping JavaScript and CSS variables with attribute encoding as defined by OWASP.