CVE-2023-47629: 
DataHub vulnerability analysis and mitigation

CVE-2023-47629 affects DataHub, an open-source metadata platform. The vulnerability was discovered and disclosed on November 13, 2023. The issue allows users with email sign-up links to potentially create admin accounts under specific conditions, affecting all DataHub instances prior to version 0.12.1 that have removed the default datahub user but retained the default policies (GitHub Advisory).

The vulnerability stems from improper privilege management in the email sign-up process. When a user receives an invite link, they can exploit the system by signing up with 'datahub' as the username. If the default datahub user has been removed but the default policies remain in place, the newly created account automatically inherits admin privileges. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability can lead to privilege escalation, allowing unauthorized users to gain administrative access to the system. This could potentially result in unauthorized access to sensitive metadata, system configuration changes, and complete control over the DataHub instance (GitHub Advisory).

Users are advised to upgrade to DataHub version 0.12.1 or later, which addresses this vulnerability. There are no known workarounds for affected versions (NVD).