CVE-2022-39366

Name of the Vulnerable Software and Affected Versions DataHub versions prior to 0.8.45

Description The StatelessTokenService of the DataHub metadata service does not verify the signature of JWT tokens, allowing an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This occurs because the StatelessTokenService uses the parse method of io.jsonwebtoken.JwtParser, which does not perform a verification of the cryptographic token signature, accepting JWTs regardless of the used algorithm. This issue may lead to an authentication bypass.

Recommendations For versions prior to 0.8.45, update to version 0.8.45 to resolve the issue. As a temporary workaround, consider disabling the StatelessTokenService function until a patch is available. Restrict access to the Metadata service to minimize the risk of exploitation. Avoid using JWT tokens in the affected DataHub instances until the issue is resolved.