CVE-2024-47604
📋 TL;DR
CVE-2024-47604 is a cross-site scripting (XSS) vulnerability in NuGet Gallery that allows attackers to inject malicious HTML or JavaScript through HTML element attributes. This affects users accessing the NuGet Gallery web interface, potentially leading to session hijacking, credential theft, or other client-side attacks.
💻 Affected Systems
- NuGet Gallery
📦 What is this software?
Nugetgallery by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user sessions, credentials, or perform actions on behalf of authenticated users, potentially compromising package uploads or administrative functions.
Likely Case
Session hijacking, credential theft, or defacement of the gallery interface for users who visit maliciously crafted pages.
If Mitigated
Limited impact with proper content security policies and input validation in place, though the vulnerability still exists at the application layer.
🎯 Exploit Status
Exploitation requires user interaction (visiting a malicious page) but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 3a18689dd0de856e03d081af999783f0e6e7ca70
Vendor Advisory: https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-hq63-27r7-2j64
Restart Required: Yes
Instructions:
1. Update NuGet Gallery to a version containing commit 3a18689dd0de856e03d081af999783f0e6e7ca70. 2. Restart the application server. 3. Verify the fix by checking the commit hash or version.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd a strict CSP header to mitigate XSS impact by restricting script execution sources.
Add 'Content-Security-Policy' header with appropriate directives in web server configuration
Input Validation Filter
allImplement additional input validation to sanitize HTML attributes before rendering.
Configure web application firewall or middleware to filter malicious HTML attributes
🧯 If You Can't Patch
- Restrict access to the NuGet Gallery interface to trusted networks only.
- Monitor for unusual activity in web server logs and implement alerting for XSS attempts.
🔍 How to Verify
Check if Vulnerable:
Check if your NuGet Gallery version includes commit 3a18689dd0de856e03d081af999783f0e6e7ca70; if not, it's vulnerable.Check Version:
Check the git commit hash or version in the application's deployment logs or configuration.Verify Fix Applied:
Confirm the application is running a version with the fix commit and test for XSS by attempting to inject HTML attributes in a safe environment.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML attribute patterns in request logs, such as 'onclick', 'onload', or other event handlers.
Network Indicators:
- HTTP requests containing suspicious HTML attribute injections to gallery endpoints.
SIEM Query:
source="web_server_logs" AND (uri="*gallery*" OR uri="*nuget*") AND (request="*onclick*" OR request="*onload*" OR request="*javascript:*")