What is CVE-2023-47628?

CVE-2023-47628 is a vulnerability in DataHub, an open-source metadata platform, that allows session cookies to be valid forever due to a misconfiguration in session expiration.

What is the severity of CVE-2023-47628?

The severity of CVE-2023-47628 is medium with a severity value of 4.2.

What software is affected by CVE-2023-47628?

DataHub versions up to and excluding 0.12.1 are affected by CVE-2023-47628.

How can I fix CVE-2023-47628?

To fix CVE-2023-47628, it is recommended to update DataHub to a version higher than 0.12.1, where the vulnerability has been patched.

Where can I find more information about CVE-2023-47628?

More information about CVE-2023-47628 can be found at the following reference: [GitHub Advisory](https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx).

Vulnerability/
CVE-2023-47628

medium

4.8

CWE

613

14/11/2023

3/9/2024

CVE-2023-47628: Session Expiration Misconfiguration in datahub

First published: Tue Nov 14 2023(Updated: )

DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Datahub	<0.12.1

Never miss a vulnerability like this again

Reference Links

https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx

Frequently Asked Questions

What is CVE-2023-47628?
CVE-2023-47628 is a vulnerability in DataHub, an open-source metadata platform, that allows session cookies to be valid forever due to a misconfiguration in session expiration.
What is the severity of CVE-2023-47628?
The severity of CVE-2023-47628 is medium with a severity value of 4.2.
What software is affected by CVE-2023-47628?
DataHub versions up to and excluding 0.12.1 are affected by CVE-2023-47628.
How can I fix CVE-2023-47628?
To fix CVE-2023-47628, it is recommended to update DataHub to a version higher than 0.12.1, where the vulnerability has been patched.
Where can I find more information about CVE-2023-47628?
More information about CVE-2023-47628 can be found at the following reference: [GitHub Advisory](https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx).

agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/weakness
agent/severity
agent/author
agent/title
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
agent/tags
collector/nvd-api
agent/software-canonical-lookup-request
vendor/datahub project
canonical/datahub

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.