CVE-2024-22409

Name of the Vulnerable Software and Affected Versions DataHub versions prior to 0.12.1

Description DataHub is an open-source metadata platform. In affected versions, a low privileged user could remove a user, edit group members, or edit another user's profile information due to overly broad default privileges. This issue can result in privilege escalation for lower privileged users up to admin privileges if a group with admin privileges exists. The issue may not impact instances that have modified default privileges.

Recommendations For versions prior to 0.12.1, upgrade to version 0.12.1 to address the issue. As a temporary workaround, consider modifying the default privileges to constrain the permissions of low privileged users until the upgrade can be applied. Restrict access to user management and group member editing features to minimize the risk of exploitation.