GHSA-47qg-q58v-7vrp: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in amundsen-frontend (Python package) versions 2.3.0 and 3.0.0, tracked as GHSA-47qg-q58v-7vrp. The vulnerability relates to the improper implementation of table and column description editing restrictions, where the UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES configuration settings were not being respected by the frontend service backend. The issue was discovered and disclosed on December 2, 2020, and was patched in version 3.1.0 (GitHub Advisory).

The vulnerability stems from the frontend service backend not properly enforcing the UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES configuration settings. While the UI correctly displayed these restrictions by disabling inline editors, the backend API endpoints still allowed modifications to table and column descriptions. The issue was specifically located in the put_table_description and put_column_description endpoints, which lacked the necessary validation checks against these configuration parameters (GitHub Advisory).

Any installation that had UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES configured in the front-end was affected. The vulnerability allowed any user to modify table and column descriptions through direct API calls, even when these modifications should have been restricted based on the configuration settings (GitHub Advisory).

The issue was patched in version 3.1.0 of amundsen-frontend. The fix implemented proper validation checks in the backend API endpoints to respect the UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES configuration settings. Users should upgrade to version 3.1.0 or later to address this vulnerability (GitHub Advisory).