We use cookies to improve your experience on our site.
AVID-2026-R1330
Description
Cross-site Scripting (XSS) - Reflected in kubeflow/kubeflow (CVE-2023-6571)
Details
Cross-site Scripting (XSS) - Reflected in kubeflow/kubeflow
Reason for inclusion in AVID: CVE-2023-6571 describes a reflected cross-site scripting (XSS) vulnerability in Kubeflow UI. Kubeflow is a platform used to build, deploy, and manage AI workflows, making it a software component within AI stacks. This constitutes a security vulnerability in a software component that supports AI systems, i.e., a potential supply-chain element for general-purpose AI deployments. The CVE entry and CWE-79 signaling provide explicit vulnerability behavior and impact. Therefore, it satisfies AI relevance, supply-chain relevance (as a dependent/runner in AI pipelines), security impact, and sufficiency of evidence.
References
Affected or Relevant Artifacts
- Developer: kubeflow
- Deployer: kubeflow
- Artifact Details:
| Type | Name |
|---|---|
| System | kubeflow/kubeflow |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| Base Score | 5.4 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🟢 Low |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-79 | CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-12-14
- Version: 0.3.3
- AVID Entry