Login fail open on JAAS misconfiguration in DataHub
CVE-2023-25561

5.7MEDIUM

Key Information:

Vendor: Datahub-project
Status: Datahub
Vendor: CVE Published:; 11 February 2023

🔔 Create Datahub-project Vulnerability Alert

What is CVE-2023-25561?

The DataHub metadata platform is susceptible to an authentication bypass vulnerability stemming from a coding error in its Java Authentication and Authorization Service (JAAS) integration. When this misconfiguration occurs, the system fails to handle authentication errors correctly, allowing unauthorized users to access the system using any set of credentials. This lapse is due to the swallowing of exceptions in the 'authenticateJaasUser' method, thereby enabling potential attackers to exploit this oversight. It is critical for users to upgrade their systems to the latest version to mitigate this risk, as no alternative workarounds are currently available.

Affected Version(s)

datahub < 0.8.45

References

https://github.com/datahub-project/datahub/security/advis...

x_refsource_CONFIRM

https://github.com/datahub-project/datahub/blob/fdf4e4849...

x_refsource_MISC

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2023
Vulnerability Reserved
Feb 7, 2023

CVE-2023-25561 Data

JSON