Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-25560

Good to know:

icon

Date: February 10, 2023

DataHub is an open-source metadata platform. The AuthServiceClient which is responsible for creation of new accounts, verifying credentials, resetting them or requesting access tokens, crafts multiple JSON strings using format strings with user-controlled data. This means that an attacker may be able to augment these JSON strings to be sent to the backend and that can potentially be abused by including new or colliding values. This issue may lead to an authentication bypass and the creation of system accounts, which effectively can lead to full system compromise. Users are advised to upgrade. There are no known workarounds for this vulnerability. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-080.

Language: Java

Severity Score

Related Resources (3)

https://nvd.nist.gov/vuln/detail/CVE-2023-25560
https://github.com/datahub-project/datahub/security/advisories/GHSA-6rpf-5cfg-h8f3
https://www.mend.io/vulnerability-database/CVE-2023-25560

Severity Score

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Top Fix

icon

Upgrade Version

Upgrade to version v0.8.45

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us