Lucene search

K
cveGitHub_MCVE-2024-29037
HistoryMar 20, 2024 - 9:15 p.m.

CVE-2024-29037

2024-03-2021:15:32
CWE-1394
GitHub_M
web.nvd.nist.gov
42
datahub-helm
kubernetes
helm charts
deployment
security
cve-2024-29037
access tokens
secret key
configuration issue
metadata service authentication

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.3

Confidence

High

EPSS

0

Percentile

9.0%

datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, due to configuration issues in the helm chart, if there was a successful initial deployment during a limited window of time, personal access tokens were possibly created with a default secret key. Since the secret key is a static, publicly available value, someone could inspect the algorithm used to generate personal access tokens and generate their own for an instance. Deploying with Metadata Service Authentication enabled would have been difficult during window of releases. If someone circumvented the helm settings and manually set Metadata Service Authentication to be enabled using environment variables directly, this would skip over the autogeneration logic for the Kubernetes Secrets and DataHub GMS would default to the signing key specified statically in the application.yml. Most deployments probably did not attempt to circumvent the helm settings to enable Metadata Service Authentication during this time, so impact is most likely limited. Any deployments with Metadata Service Authentication enabled should ensure that their secret values are properly randomized. Version 0.2.182 contains a patch for this issue. As a workaround, one may reset the token signing key to be a random value, which will invalidate active personal access tokens.

Affected configurations

Vulners
Vulnrichment
Node
acryldatadatahub_helmRange0.1.1430.2.182
VendorProductVersionCPE
acryldatadatahub_helm*cpe:2.3:a:acryldata:datahub_helm:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "acryldata",
    "product": "datahub-helm",
    "versions": [
      {
        "version": ">= 0.1.143, < 0.2.182",
        "status": "affected"
      }
    ]
  }
]

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.3

Confidence

High

EPSS

0

Percentile

9.0%

Related for CVE-2024-29037