Lucene search

GitHub_MCVELIST:CVE-2024-22409

HistoryJan 16, 2024 - 10:16 p.m.

CVE-2024-22409 Default Privileges allow for high level operations for low privileged users in datahub

2024-01-1622:16:48

CWE-276

GitHub_M

www.cve.org

cve-2024-22409

datahub

default privileges

privilege escalation

metadata platform

user profile

admin privileges

security update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

DataHub is an open-source metadata platform. In affected versions a low privileged user could remove a user, edit group members, or edit another user’s profile information. The default privileges gave too many broad permissions to low privileged users. These have been constrained in PR #9067 to prevent abuse. This issue can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges. This issue has been addressed in datahub version 0.12.1. Users are advised to upgrade.

CNA Affected

[
  {
    "vendor": "datahub-project",
    "product": "datahub",
    "versions": [
      {
        "version": "< 0.12.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/datahub-project/datahub/pull/9067

github.com/datahub-project/datahub/security/advisories/GHSA-x3v6-r479-m4xv

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

Related for CVELIST:CVE-2024-22409