CVE-2023-47640

DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...

Default credentials

DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...

CVE-2023-47640 Insecure Use of HMAC-SHA1 For Session Signing in datahub

DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources i.e. state level actors with large computational capabilities...

CVE-2023-47628

CVE-2023-47628 describes a session-management flaw in DataHub Frontend where Play Framework default settings create a stateless cookie without expiration. The root cause is a cookie policy that does not set an expiration time, compounded by use of LegacyCookiesModule, making a leaked session cook...