CVE-2020-21485

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in Alluxio version 1.8.1, a distributed caching platform for large-scale data [1]. The flaw occurs in the Browse board component, where user-supplied input to the path parameter is not properly sanitized before being rendered in the response [2]. This allows an attacker to inject arbitrary web scripts or HTML.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payload in the path parameter, e.g., http:///browse?path=%2F&offset=0&limit=9 with injected script [3]. The vulnerability is reflected, meaning the payload is executed in the victim's browser when the URL is visited. No authentication is required, making it exploitable by any remote attacker who can trick a user into clicking the link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to cookie theft, session hijacking, defacement, or redirection to malicious sites [2]. The impact is amplified if the Alluxio web interface is accessible over the network.

Mitigation

As of the disclosure date, no official patch has been released for this vulnerability. Users of Alluxio v1.8.1 should consider upgrading to a later version if available, or restrict access to the web interface to trusted users only. The issue remains unpatched in the affected version [3].