Wiz
Vulnerability DatabaseCVE-2023-25560

CVE-2023-25560
DataHub vulnerability analysis and mitigation

Overview

CVE-2023-25560 is a JSON Injection vulnerability discovered in DataHub's frontend that affects version v0.8.44. The vulnerability was disclosed on January 6, 2023. The issue exists in the AuthServiceClient component where multiple JSON strings are crafted using user-controlled data (GitHub Advisory).

Technical details

The vulnerability occurs when the AuthServiceClient crafts JSON strings using format strings with user-controlled data. These JSON strings are then sent to the backend and parsed using the Jackson library. Due to the way Jackson handles colliding keys by using the last appearing value in the string, an attacker may be able to inject arbitrary fields in the JSON string that could shadow values added by the frontend (GitHub Advisory).

Impact

This vulnerability can be exploited to generate JWT tokens for arbitrary accounts or create arbitrary native accounts, including system admin accounts. The ability to create system accounts effectively leads to full system compromise, as these accounts have elevated privileges (GitHub Advisory).

Mitigation and workarounds

The vulnerability was fixed in DataHub version v0.8.45. Users are advised to upgrade to this version or later to protect against this vulnerability (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related DataHub vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2023-25562CRITICAL9.8
  • DataHubDataHub
  • cpe:2.3:a:datahub_project:datahub
NoYesFeb 11, 2023
CVE-2024-22409HIGH8.8
  • DataHubDataHub
  • cpe:2.3:a:datahub_project:datahub
NoYesJan 16, 2024
CVE-2023-47640HIGH8.8
  • DataHubDataHub
  • cpe:2.3:a:datahub_project:datahub
NoYesNov 14, 2023
CVE-2023-47629HIGH8
  • DataHubDataHub
  • cpe:2.3:a:datahub_project:datahub
NoYesNov 14, 2023
CVE-2023-47628MEDIUM4.8
  • DataHubDataHub
  • cpe:2.3:a:datahub_project:datahub
NoYesNov 14, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo