CVE-2022-39366
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-39366
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39366.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-39366
- Aliases
- Published
- 2022-10-28T00:00:00Z
- Modified
- 2025-12-05T10:07:28.837799Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L CVSS Calculator
- Summary
- DataHub missing JWT signature check
- Details
-
DataHub is an open-source metadata platform. Prior to version 0.8.45, the
StatelessTokenServiceof the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because theStatelessTokenServiceof the Metadata service uses theparsemethod ofio.jsonwebtoken.JwtParser, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds. - Database specific
{ "cwe_ids": [ "CWE-287", "CWE-303" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39366.json" }- References
-
- https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39366.json
- https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134
- https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30
- https://github.com/datahub-project/datahub/releases/tag/v0.8.45
- https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973
- https://nvd.nist.gov/vuln/detail/CVE-2022-39366
Affected packages
Git / github.com/datahub-project/datahub
Affected ranges
- Type
- GIT
- Repo
- https://github.com/datahub-project/datahub
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
RC-v0.*
RC-v0.8.28
v0.*
v0.1.0-alpha
v0.1.1-alpha
v0.2.0-alpha
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0-BETA
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.0-pre
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.16
v0.8.17
v0.8.18
v0.8.19
v0.8.2
v0.8.20
v0.8.21
v0.8.22
v0.8.23
v0.8.24
v0.8.25
v0.8.26
v0.8.27
v0.8.28
v0.8.28rc1
v0.8.29
v0.8.3
v0.8.30
v0.8.31
v0.8.32
v0.8.33
v0.8.34
v0.8.35
v0.8.36
v0.8.37
v0.8.38
v0.8.39
v0.8.4
v0.8.40
v0.8.41
v0.8.42
v0.8.43
v0.8.44
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
Database specific
vanir_signatures
[
{
"target": {
"file": "metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java"
},
"digest": {
"line_hashes": [
"31554251648533416152623010086936924547",
"155760737878228610195097988911985706046",
"284220006101245241007895365429582833180",
"221398545169308186189998836629710439288"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/datahub-project/datahub/commit/af6a423f9d39c1efe308c9722c338fa82e36a55f",
"signature_type": "Line",
"id": "CVE-2022-39366-16f79a12"
}
]