CVE-2023-25562: 
DataHub vulnerability analysis and mitigation

DataHub, an open-source metadata platform, was found to contain a session management vulnerability (CVE-2023-25562) in versions prior to 0.8.45. The vulnerability was discovered and reported by the GitHub Security Lab (tracked as GHSL-2022-083) and involves improper session cookie handling during logout operations (GitHub Advisory).

The vulnerability stems from the session cookie management implementation where cookies are only cleared on new sign-in events but not during logout operations. The authentication checks using the AuthUtils.hasValidSessionCookie() method could be bypassed by using a cookie from a logged-out session, as these cookies were still considered valid by the system (GHSL Report).

This vulnerability could lead to authentication bypass, allowing an attacker to maintain access to the system even after a user has logged out. Any logged-out session cookie may be accepted as valid, potentially enabling unauthorized access to protected resources and functionality (GHSL Report).

Users are advised to upgrade to DataHub version 0.8.45 or later, which addresses this vulnerability. There are no known workarounds for this issue other than upgrading to a patched version (GHSL Report).