Home > Vulnerability Database > CVE-2022-39366

Mend.io Vulnerability Database

CVE-2022-39366

Good to know:

Date: October 28, 2022

DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.

Language: Python

Severity Score

9.8

Related Resources (7)

Url: https://github.com/datahub-project/datahub/releases/tag/v0.8.45

Url: https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30

Url: https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39366

Url: https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973

Url: https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/

Url: https://www.mend.io/vulnerability-database/CVE-2022-39366

Severity Score

9.8

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

Upgrade Version

Upgrade to version acryl-datahub - 0.8.45

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39366

Good to know:

Date: October 28, 2022

Language: Python

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?