Skip to content

Login fail open on JAAS misconfiguration (`GHSL-2022-081`)

Moderate
david-leifker published GHSA-7wc6-p6c4-522c Jan 6, 2023

Package

datahub-frontend (Java)

Affected versions

<v0.8.45

Patched versions

v0.8.45

Description

Impact

This issue may lead to an authentication bypass.

Conditions

If JAAS (Java Authentication and Authorization Service) authentication is used and the given configuration contains an error.

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE ID

CVE-2023-25561

Weaknesses

No CWEs

Credits