Home > Vulnerability Database > CVE-2022-39366

Mend.io Vulnerability Database

CVE-2022-39366

Good to know:

Date: October 27, 2022

DataHub is an open-source metadata platform. Prior to version 0.8.45, the "StatelessTokenService" of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the "StatelessTokenService" of the Metadata service uses the "parse" method of "io.jsonwebtoken.JwtParser", which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.

Language: Python

Severity Score

9.9

Related Resources (9)

Url: https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check

Url: https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30

Url: https://github.com/datahub-project/datahub/releases/tag/v0.8.45

Url: https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39366

Url: https://github.com/datahub-project/datahub

Url: https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973

Url: https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/

Url: https://www.mend.io/vulnerability-database/CVE-2022-39366

Severity Score

9.9

Weakness Type (CWE)

Improper Authentication

CWE-287

Improper Verification of Cryptographic Signature

CWE-347

Incorrect Implementation of Authentication Algorithm

CWE-303

Top Fix

Upgrade Version

Upgrade to version acryl-datahub - 0.8.45

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39366

Good to know:

Date: October 27, 2022

Language: Python

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?