CVE-2022-39366: DataHub missing JWT signature check
First published: Fri Oct 28 2022(Updated: )
DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Datahub | <0.8.45 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/
- https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134
- https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30
- https://github.com/datahub-project/datahub/releases/tag/v0.8.45
- https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973
Frequently Asked Questions
What is CVE-2022-39366?
CVE-2022-39366 is a vulnerability in the DataHub metadata service (GMS) where the `StatelessTokenService` does not verify the signature of JWT tokens, allowing an attacker to connect to DataHub instances as any user.
What is the severity of CVE-2022-39366?
CVE-2022-39366 has a severity rating of 9.8 (Critical).
How does CVE-2022-39366 affect DataHub?
CVE-2022-39366 affects DataHub prior to version 0.8.45, and allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled.
Is there a fix for CVE-2022-39366?
Yes, upgrading DataHub to version 0.8.45 or later fixes CVE-2022-39366.
What are the Common Weakness Enumerations (CWE) associated with CVE-2022-39366?
The Common Weakness Enumerations (CWE) associated with CVE-2022-39366 are CWE-347 (Improper Verification of Cryptographic Signature) and CWE-287 (Improper Authentication).
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/references
- agent/title
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/datahub project
- canonical/datahub