3 matches found
CVE-2022-39366
DataHub is an open-source metadata platform. Prior to version 0.8.45, the StatelessTokenService of the DataHub metadata service GMS does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This...
CVE-2022-39366 DataHub missing JWT signature check
DataHub is an open-source metadata platform. Prior to version 0.8.45, the StatelessTokenService of the DataHub metadata service GMS does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This...
CVE-2022-39366
DataHub (GMS) prior to 0.8.45 uses StatelessTokenService that calls JwtParser.parse without cryptographic signature verification, enabling potential authentication bypass by accepting JWTs regardless of signature. A patch exists in 0.8.45; no public workarounds are noted. Affected component: Data...