Privilege escalation through email sign-up in datahub
CVE-2023-47629

7.1HIGH

Key Information:

Vendor: Datahub-project
Status: Datahub
Vendor: CVE Published:; 14 November 2023

🔔 Create Datahub-project Vulnerability Alert

What is CVE-2023-47629?

DataHub, an open-source metadata platform, suffers from an improper access control vulnerability that enables users to create privileged accounts through an invite link. This happens when the default DataHub user has been deleted but the default policies associated with that user remain intact. Under specific conditions, an individual receiving an email sign-up link can gain admin privileges, potentially compromising the entire DataHub instance. It is crucial for users to upgrade to version 0.12.1, as there are no known workarounds to mitigate this vulnerability.

Affected Version(s)

datahub < 0.12.1

References

https://github.com/datahub-project/datahub/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Nov 7, 2023

CVE-2023-47629 Data

JSON