Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
DataHub missing JWT signature check
Vulnerability Description
DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
Vulnerability Type
认证算法的不正确实现
Vulnerability Title
DataHub 数据伪造问题漏洞
Vulnerability Description
DataHub是datahub-project开源的一个现代数据栈的元数据平台。 DataHub 0.8.45之前版本存在安全漏洞,该漏洞源于不验证JWT令牌的签名,可能导致认证绕过,这允许攻击者以任何用户身份连接到DataHub实例。
CVSS Information
N/A
Vulnerability Type
N/A