Dkonis

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.12.1 **Description** DataHub is an open-source metadata platform. In affected versions, a low privileged user could remove a user, edit group members, or edit another user's profile information due to overly broad default privileges. This issue can result in privilege escalation for lower privileged users up to admin privileges if a group with admin privileges exists. The issue may not impact instances that have modified default privileges. **Recommendations** For versions prior to 0.12.1, upgrade to version 0.12.1 to address the issue. As a temporary workaround, consider modifying the default privileges to constrain the permissions of low privileged users until the upgrade can be applied. Restrict access to user management and group member editing features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.11.1 **Description** The issue concerns the use of a SHA-1 HMAC with a short key length for signing session tokens in DataHub Frontend, making it vulnerable to brute force attacks by sufficiently resourced actors. An authenticated attacker could exploit this to obtain escalated privileges by generating a privileged session cookie. The vulnerability is exacerbated by the default settings of the Play LegacyCookiesModule and the shorter than recommended key length for the signing key. **Recommendations** For versions prior to 0.11.1, update to the latest helm chart and rotate the session signing secret to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.12.1 **Description** DataHub is an open-source metadata platform. The issue arises from the configuration of DataHub Frontend's sessions using Play Framework's default settings for stateless sessions, which do not set an expiration time for a cookie. This means if a session cookie is leaked, it remains valid indefinitely. DataHub utilizes a stateless session cookie that is not invalidated upon logout; instead, it is removed from the browser, prompting the user to log in again. However, an attacker who extracts a cookie from an authenticated user could continue to use it, as there is no validation for the time window during which the session token is valid. This is due to the combination of using LegacyCookiesModule from Play Framework and the default settings that do not set an expiration time. **Recommendations** For versions prior to 0.12.1, update to version 0.12.1 to address the issue. As a temporary workaround, consider implementing additional security measures to protect against session cookie leaks, such as enhancing cookie security settings or implementing stricter access controls, until the update to version 0.12.1 can be applied.