Skip to content

Missing JWT signature check (`GHSL-2022-078`)

Critical
maggiehays published GHSA-r8gm-v65f-c973 Oct 28, 2022

Package

No package listed

Affected versions

< 0.8.45

Patched versions

0.8.45

Description

Missing JWT signature check (GHSL-2022-078)

The StatelessTokenService of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the StatelessTokenService of the Metadata service uses the parse method of io.jsonwebtoken.JwtParser, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm.

Impact

This issue may lead to an authentication bypass.

Resources

Severity

Critical
9.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

CVE ID

CVE-2022-39366

Weaknesses

Credits