VYPR

Datahub

by Datahub Project

Source repositories

CVEs (14)

  • CVE-2026-44501MedMay 14, 2026
    risk 0.21cvss 4.3epss 0.00

    DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This…

  • CVE-2026-25644Feb 6, 2026
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8.

  • CVE-2024-29037Mar 20, 2024
    risk 0.00cvss epss 0.01

    datahub-helm provides the Kubernetes Helm charts for deploying Datahub and its dependencies on a Kubernetes cluster. Starting in version 0.1.143 and prior to version 0.2.182, due to configuration issues in the helm chart, if there was a successful initial deployment during a…

  • CVE-2024-22409Jan 16, 2024
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. In affected versions a low privileged user could remove a user, edit group members, or edit another user's profile information. The default privileges gave too many broad permissions to low privileged users. These have been…

  • CVE-2023-47640Nov 14, 2023
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. The HMAC signature for DataHub Frontend sessions was being signed using a SHA-1 HMAC with the frontend secret key. SHA1 with a 10 byte key can be brute forced using sufficient resources (i.e. state level actors with large…

  • CVE-2023-47628Nov 14, 2023
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever.…

  • CVE-2023-47629Nov 14, 2023
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. In affected versions sign-up through an invite link does not properly restrict users from signing up as privileged accounts. If a user is given an email sign-up link they can potentially create an admin account given certain…

  • CVE-2023-25557Feb 10, 2023
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. The DataHub frontend acts as a proxy able to forward any REST or GraphQL requests to the backend. The goal of this proxy is to perform authentication if needed and forward HTTP requests to the DataHub Metadata Store (GMS). It has been…

  • CVE-2023-25558Feb 10, 2023
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the `id_token` is done in an unsafe manner which is not properly accounted for by the DataHub frontend.…

  • CVE-2023-25559Feb 10, 2023
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. When not using authentication for the metadata service, which is the default configuration, the Metadata service (GMS) will use the X-DataHub-Actor HTTP header to infer the user the frontend is sending the request on behalf of. When…

  • CVE-2023-25560Feb 10, 2023
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. The AuthServiceClient which is responsible for creation of new accounts, verifying credentials, resetting them or requesting access tokens, crafts multiple JSON strings using format strings with user-controlled data. This means that…

  • CVE-2023-25561Feb 10, 2023
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. In the event a system is using Java Authentication and Authorization Service (JAAS) authentication and that system is given a configuration which contains an error, the authentication for the system will fail open and allow an…

  • CVE-2023-25562Feb 10, 2023
    risk 0.00cvss epss 0.00

    DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie…

  • CVE-2022-39366Oct 28, 2022
    risk 0.00cvss epss 0.01

    DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service…