CVE-2023-47640

Name of the Vulnerable Software and Affected Versions DataHub versions prior to 0.11.1

Description The issue concerns the use of a SHA-1 HMAC with a short key length for signing session tokens in DataHub Frontend, making it vulnerable to brute force attacks by sufficiently resourced actors. An authenticated attacker could exploit this to obtain escalated privileges by generating a privileged session cookie. The vulnerability is exacerbated by the default settings of the Play LegacyCookiesModule and the shorter than recommended key length for the signing key.

Recommendations For versions prior to 0.11.1, update to the latest helm chart and rotate the session signing secret to resolve the issue.