Impact
An attacker can trick users into executing arbitrary javascript code when a user edits a malicious dataset using the editor visualization.
All supported versions of Galaxy are affected (i.e. 23.1, 23.2, 24.0, and 24.1). Unsupported versions are affected since the addition of the editor in version 20.05
Patches
All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches.
The same patch should work for all supported versions of Galaxy and out of support Galaxy versions back to Galaxy release 20.05. The patch can be found at: https://depot.galaxyproject.org/patch/CVE-2024-42346/editor-viz.patch.
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - "https://depot.galaxyproject.org/patch/CVE-2024-42346/editor-viz.patch" | patch -p1
or:
curl "https://depot.galaxyproject.org/patch/CVE-2024-42346/editor-viz.patch" | patch -p1
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
Workarounds
You must apply the supplied patch or update to the release_20.05 branch or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @partywavesec . The Galaxy Project is grateful for the help.
partywavesec Reporter
Impact
An attacker can trick users into executing arbitrary javascript code when a user edits a malicious dataset using the editor visualization.
All supported versions of Galaxy are affected (i.e. 23.1, 23.2, 24.0, and 24.1). Unsupported versions are affected since the addition of the editor in version 20.05
Patches
All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches.
The same patch should work for all supported versions of Galaxy and out of support Galaxy versions back to Galaxy release 20.05. The patch can be found at: https://depot.galaxyproject.org/patch/CVE-2024-42346/editor-viz.patch.
To apply the patch, navigate to the root of your Galaxy directory, then execute:
or:
You can test application of the patch before applying it by adding the
--dry-runflag to patch.For the changes to take effect, you must restart all Galaxy server processes.
Workarounds
You must apply the supplied patch or update to the release_20.05 branch or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @partywavesec . The Galaxy Project is grateful for the help.