Lucene search

[email protected]NVD:CVE-2024-22409

HistoryJan 16, 2024 - 11:15 p.m.

CVE-2024-22409

2024-01-1623:15:08

CWE-276

[email protected]

web.nvd.nist.gov

datahub

metadata platform

low privileged user

privilege escalation

default privileges

version 0.12.1

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

DataHub is an open-source metadata platform. In affected versions a low privileged user could remove a user, edit group members, or edit another user’s profile information. The default privileges gave too many broad permissions to low privileged users. These have been constrained in PR #9067 to prevent abuse. This issue can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges. This issue has been addressed in datahub version 0.12.1. Users are advised to upgrade.

Affected configurations

Nvd

Node

datahub_projectdatahubRange<0.12.1

VendorProductVersionCPE
datahub_projectdatahub*cpe:2.3:a:datahub_project:datahub:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
datahub_project	datahub	*	cpe:2.3:a:datahub_project:datahub::::::::

References

github.com/datahub-project/datahub/pull/9067

github.com/datahub-project/datahub/security/advisories/GHSA-x3v6-r479-m4xv

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

19.3%

JSON

Related for NVD:CVE-2024-22409

cvelist1 prion1 cve1