CVE-2024-22409

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-22409
DataHub is an open-source metadata platform. In affected versions a low privileged user could remove a user, edit group members, or edit another user's profile information. The default privileges gave too many broad permissions to low privileged users. These have been constrained in PR #9067 to prevent abuse. This issue can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges. This issue has been addressed in datahub version 0.12.1. Users are advised to upgrade.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/datahub-project/datahub/pull/9067 Patch
https://github.com/datahub-project/datahub/security/advisories/GHSA-x3v6-r479-m4xv Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:datahub_project:datahub:*:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-01-16 23:15

Updated : 2024-01-25 16:08

NVD link : CVE-2024-22409

Mitre link : CVE-2024-22409

CVE.ORG link : CVE-2024-22409

JSON object : View

Products Affected

datahub_project

  • datahub
CWE
CWE-276

Incorrect Default Permissions