Failure to Invalidate Session on Logout in DataHub
CVE-2023-25562

6.9MEDIUM

Key Information:

Vendor: Datahub-project
Status: Datahub
Vendor: CVE Published:; 11 February 2023

🔔 Create Datahub-project Vulnerability Alert

What is CVE-2023-25562?

DataHub is an open-source metadata platform susceptible to an authentication bypass vulnerability in versions prior to 0.8.45. This issue arises because session cookies are only cleared during new sign-in events and not upon user logout, permitting unauthorized access via a previously logged out session cookie. Consequently, any session cookie not explicitly invalidated may still be accepted as valid, posing a significant risk to user accounts. Users are strongly advised to upgrade to a secure version, as there are no workarounds available for this vulnerability.

Affected Version(s)

datahub < 0.8.45

References

https://github.com/datahub-project/datahub/security/advis...

x_refsource_CONFIRM

https://github.com/datahub-project/datahub/blob/aa146db61...

x_refsource_MISC

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2023
Vulnerability Reserved
Feb 7, 2023

CVE-2023-25562 Data

JSON