Default Privileges allow for high level operations for low privileged users in datahub
CVE-2024-22409

7.5HIGH

Key Information:

Vendor: Datahub-project
Status: Datahub
Vendor: CVE Published:; 16 January 2024

🔔 Create Datahub-project Vulnerability Alert

What is CVE-2024-22409?

The vulnerability in DataHub allows low privileged users to escalate privileges by removing other users or altering group membership and profile information. This situation arises due to the default settings that granted excessive permissions to low privileged accounts. If an administrator group is present, this could potentially lead to unauthorized access and control over sensitive aspects of the platform. Users are advised to upgrade to DataHub version 0.12.1, which has mitigated this risk by imposing stricter limits on user permissions.

Affected Version(s)

datahub < 0.12.1

References

https://github.com/datahub-project/datahub/security/advis...

x_refsource_CONFIRM

https://github.com/datahub-project/datahub/pull/9067

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Jan 10, 2024

CVE-2024-22409 Data

JSON