P-Analyst

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue concerns the Metadata service (GMS) in DataHub, where the X-DataHub-Actor HTTP header is used to infer the user on whose behalf the frontend is sending a request. The header's name is retrieved in a case-insensitive manner, which can be exploited by an attacker to smuggle an X-DataHub-Actor header with different casing. This can lead to an authorization bypass, allowing any user to impersonate the system user account and perform actions on its behalf. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue occurs when a system using Java Authentication and Authorization Service (JAAS) authentication encounters a configuration error, causing authentication to fail open. This allows an attacker to login with any username and password due to an error being thrown in the `authenticateJaasUser` method but not propagated. As a result, unauthenticated users may gain access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.8.45 **Description** The issue concerns authentication checks using the `AuthUtils.hasValidSessionCookie()` method, which could be bypassed by using a cookie from a logged out session. This is because session cookies are only cleared on new sign-in events and not on logout events. As a result, any logged out session cookie may be accepted as valid, leading to an authentication bypass to the system. **Recommendations** For versions prior to 0.8.45, upgrade to version 0.8.45 or later to resolve the issue. As a temporary workaround, consider disabling the use of session cookies or restricting access to sensitive areas of the system until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The DataHub frontend proxy does not properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), allowing external users to reroute requests to arbitrary hosts. This enables attackers to redirect requests from the frontend proxy to other servers and return the results. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue concerns the AuthServiceClient in DataHub, which is responsible for managing accounts and authentication. It crafts JSON strings using format strings with user-controlled data, potentially allowing an attacker to manipulate these strings and send them to the backend. This could lead to an authentication bypass, creation of system accounts, and potentially full system compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Versões do DataHub anteriores à 0.8.45 **Descrição** O `StatelessTokenService` do serviço de metadados do DataHub não verifica a assinatura dos tokens JWT, permitindo que um invasor se conecte a instâncias do DataHub como qualquer usuário, caso a autenticação do serviço de metadados esteja habilitada. Isso ocorre porque o `StatelessTokenService` utiliza o método `parse` do `io.jsonwebtoken.JwtParser`, que não realiza uma verificação da assinatura criptográfica do token, aceitando JWTs independentemente do algoritmo utilizado. Esse problema pode levar a uma burla na autenticação. **Recomendações** Para versões anteriores à 0.8.45, atualize para a versão 0.8.45 para resolver o problema. Como solução alternativa temporária, considere desativar a função `StatelessTokenService` até que um patch esteja disponível. Restrinja o acesso ao serviço de metadados para minimizar o risco de exploração. Evite usar tokens JWT nas instâncias do DataHub afetadas até que o problema seja resolvido.

**Nome do software vulnerável e versões afetadas** Versões do CircuitVerse anteriores à versão com o número de commit 7b3023a99499a7675f10f2c1d9effdf10c35fb6e **Descrição** O CircuitVerse é uma plataforma de código aberto para a construção de circuitos lógicos digitais online. Uma vulnerabilidade de execução remota de código permite que invasores autenticados executem código arbitrário por meio de cargas JSON especialmente criadas, o que pode levar à execução remota de código. **Recomendações** Para versões anteriores à versão com o número de commit 7b3023a99499a7675f10f2c1d9effdf10c35fb6e, aplique o patch disponível no número de commit 7b3023a99499a7675f10f2c1d9effdf10c35fb6e para resolver a vulnerabilidade.