CVE-2023-47628

Name of the Vulnerable Software and Affected Versions DataHub versions prior to 0.12.1

Description DataHub is an open-source metadata platform. The issue arises from the configuration of DataHub Frontend's sessions using Play Framework's default settings for stateless sessions, which do not set an expiration time for a cookie. This means if a session cookie is leaked, it remains valid indefinitely. DataHub utilizes a stateless session cookie that is not invalidated upon logout; instead, it is removed from the browser, prompting the user to log in again. However, an attacker who extracts a cookie from an authenticated user could continue to use it, as there is no validation for the time window during which the session token is valid. This is due to the combination of using LegacyCookiesModule from Play Framework and the default settings that do not set an expiration time.

Recommendations For versions prior to 0.12.1, update to version 0.12.1 to address the issue. As a temporary workaround, consider implementing additional security measures to protect against session cookie leaks, such as enhancing cookie security settings or implementing stricter access controls, until the update to version 0.12.1 can be applied.