CVE-2023-47628: 
DataHub vulnerability analysis and mitigation

DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. The vulnerability (CVE-2023-47628) was discovered in DataHub, an open-source metadata platform, affecting all versions prior to 0.12.1. The issue was disclosed on November 13, 2023, and involves session cookies that remain valid indefinitely if leaked (GitHub Advisory).

The vulnerability stems from DataHub's use of stateless session cookies in combination with Play Framework's LegacyCookiesModule and default settings. When a user logs out, the session cookie is only removed from the browser but not invalidated on the server side. The critical issue is that there is no validation of the time window for which the session token remains valid. This implementation means that any session token created at any point in time will be accepted as valid for the authenticated user (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 4.8 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) by NVD (NVD).

If an attacker manages to extract a session cookie from an authenticated user, they can use it indefinitely to maintain unauthorized access to the system. This poses a significant security risk as the compromised session tokens never expire and can be used for persistent unauthorized access (GitHub Advisory).

Users are advised to update to version 0.12.1 which addresses the issue by implementing proper session expiration. There are no known workarounds for this vulnerability (NVD).