CVE-2023-25559

Name of the Vulnerable Software and Affected Versions DataHub (affected versions not specified)

Description The issue concerns the Metadata service (GMS) in DataHub, where the X-DataHub-Actor HTTP header is used to infer the user on whose behalf the frontend is sending a request. The header's name is retrieved in a case-insensitive manner, which can be exploited by an attacker to smuggle an X-DataHub-Actor header with different casing. This can lead to an authorization bypass, allowing any user to impersonate the system user account and perform actions on its behalf.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.