P-Analyst

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue concerns the Metadata service (GMS) in DataHub, where the X-DataHub-Actor HTTP header is used to infer the user on whose behalf the frontend is sending a request. The header's name is retrieved in a case-insensitive manner, which can be exploited by an attacker to smuggle an X-DataHub-Actor header with different casing. This can lead to an authorization bypass, allowing any user to impersonate the system user account and perform actions on its behalf. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue occurs when a system using Java Authentication and Authorization Service (JAAS) authentication encounters a configuration error, causing authentication to fail open. This allows an attacker to login with any username and password due to an error being thrown in the `authenticateJaasUser` method but not propagated. As a result, unauthenticated users may gain access to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.8.45 **Description** The issue concerns authentication checks using the `AuthUtils.hasValidSessionCookie()` method, which could be bypassed by using a cookie from a logged out session. This is because session cookies are only cleared on new sign-in events and not on logout events. As a result, any logged out session cookie may be accepted as valid, leading to an authentication bypass to the system. **Recommendations** For versions prior to 0.8.45, upgrade to version 0.8.45 or later to resolve the issue. As a temporary workaround, consider disabling the use of session cookies or restricting access to sensitive areas of the system until the upgrade can be applied.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The DataHub frontend proxy does not properly construct URLs when forwarding data to the DataHub Metadata Store (GMS), allowing external users to reroute requests to arbitrary hosts. This enables attackers to redirect requests from the frontend proxy to other servers and return the results. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub (affected versions not specified) **Description** The issue concerns the AuthServiceClient in DataHub, which is responsible for managing accounts and authentication. It crafts JSON strings using format strings with user-controlled data, potentially allowing an attacker to manipulate these strings and send them to the backend. This could lead to an authentication bypass, creation of system accounts, and potentially full system compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DataHub versions prior to 0.8.45 **Description** The `StatelessTokenService` of the DataHub metadata service does not verify the signature of JWT tokens, allowing an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This occurs because the `StatelessTokenService` uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature, accepting JWTs regardless of the used algorithm. This issue may lead to an authentication bypass. **Recommendations** For versions prior to 0.8.45, update to version 0.8.45 to resolve the issue. As a temporary workaround, consider disabling the `StatelessTokenService` function until a patch is available. Restrict access to the Metadata service to minimize the risk of exploitation. Avoid using JWT tokens in the affected DataHub instances until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CircuitVerse versions prior to the version with commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e **Description** CircuitVerse is an open-source platform for constructing digital logic circuits online. A remote code execution issue allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads, potentially leading to remote code execution. **Recommendations** For versions prior to the version with commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e, apply the patch available in commit number 7b3023a99499a7675f10f2c1d9effdf10c35fb6e to resolve the issue.