Skip to main content

Datahub CVE-2023-47629

HIGH
Improper Privilege Management (CWE-269)
2023-11-14 security-advisories@github.com
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 14, 2023 - 01:15 nvd
HIGH 8.0

DescriptionNVD

DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain preconditions. If the default datahub user has been removed, then the user can sign up for an account that leverages the default policies giving admin privileges to the datahub user. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.

AnalysisAI

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain preconditions. If the default datahub user has been removed, then the user can sign up for an account that leverages the default policies giving admin privileges to the datahub user. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability. Affected products include: Datahub Project Datahub. Version information: version 0.12.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2022-39366 CRITICAL POC
9.8 Oct 28

DataHub is an open-source metadata platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2024-22409 HIGH POC
8.8 Jan 16

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-25562 CRITICAL
9.8 Feb 11

DataHub is an open-source metadata platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25561 CRITICAL
9.8 Feb 11

DataHub is an open-source metadata platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25560 CRITICAL
9.8 Feb 11

DataHub is an open-source metadata platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2023-25557 CRITICAL
9.1 Feb 11

DataHub is an open-source metadata platform. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploita

CVE-2023-47640 HIGH
8.8 Nov 14

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-47628 MEDIUM POC
4.8 Nov 14

DataHub is an open-source metadata platform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitabl

CVE-2023-25558 HIGH
8.8 Feb 11

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-25559 HIGH
8.1 Feb 11

DataHub is an open-source metadata platform. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable,

CVE-2026-25644 HIGH
7.5 Feb 06

DataHub versions prior to 1.3.1.8 are vulnerable to man-in-the-middle attacks during LDAP authentication due to insuffic

Share

CVE-2023-47629 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy