CVE-2023-25561: 
DataHub vulnerability analysis and mitigation

CVE-2023-25561 is a vulnerability in DataHub's Java Authentication and Authorization Service (JAAS) authentication system. When JAAS authentication is used and the given configuration file contains an error, the authentication fails open and allows an attacker to login as any user using any password. The vulnerability was discovered in September 2022 and disclosed in January 2023 (GitHub Security Lab).

The vulnerability exists in the authenticateJaasUser method of the AuthenticationManager class. The only exception caught in the try-block is LoginException, while any other exceptions (like IOException from malformed JAAS configuration) are swallowed, allowing the login process to continue successfully. This means if the JAAS configuration file (e.g., jaas.conf) contains syntax errors, the authentication check is bypassed completely (GitHub Security Lab).

This vulnerability allows an attacker to bypass authentication completely and gain unauthorized access to the system. When exploited, any username and password combination would be accepted if the JAAS configuration contains errors, effectively compromising the entire authentication system (GitHub Security Lab).

The vulnerability was addressed in DataHub's v0.8.45 release. Users should upgrade to this version or later to protect against this authentication bypass vulnerability (GitHub Security Lab).