CVE-2022-46151
Last modified
CVE-2022-46151 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. EPSS estimates a 0.41% chance of exploitation in the next 30 days.
Description
Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in `querybook/server/app/auth/oauth_auth.py` and `querybook/server/app/auth/okta_auth.py`. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or `unsafe-inline` is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Querybook | < 3.14.2 |
References
- https://github.com/pinterest/querybook/commit/88a7f10495bf5ed1a556ade51a2f2794e403c063Patch, Third Party Advisory
- https://github.com/pinterest/querybook/security/advisories/GHSA-mrrw-9wf7-xq6wMitigation, Third Party Advisory
- https://github.com/pinterest/querybook/commit/88a7f10495bf5ed1a556ade51a2f2794e403c063Patch, Third Party Advisory
- https://github.com/pinterest/querybook/security/advisories/GHSA-mrrw-9wf7-xq6wMitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-46151?
How severe is CVE-2022-46151?
How do I fix CVE-2022-46151?
Are you affected by CVE-2022-46151?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST