CVE-2022-39366

Source
https://cve.org/CVERecord?id=CVE-2022-39366
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39366.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39366
Aliases
Published
2022-10-28T00:00:00Z
Modified
2026-07-15T02:08:12.054238285Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L CVSS Calculator
Summary
DataHub missing JWT signature check
Details

DataHub is an open-source metadata platform. Prior to version 0.8.45, the StatelessTokenService of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the StatelessTokenService of the Metadata service uses the parse method of io.jsonwebtoken.JwtParser, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.

Database specific
{
    "cwe_ids": [
        "CWE-287",
        "CWE-303"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39366.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/acryldata/datahub

Affected ranges

Type
GIT
Repo
https://github.com/acryldata/datahub
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:datahub:datahub:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.45"
        }
    ],
    "source": "CPE_RANGE"
}
Type
GIT
Repo
https://github.com/datahub-project/datahub
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:datahub:datahub:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.45"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.8.38.4rc1
RC-v0.*
RC-v0.8.28
v0.*
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0-BETA
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.0-pre
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.16
v0.8.16.10
v0.8.16.11
v0.8.16.12
v0.8.16.9
v0.8.17
v0.8.17.0
v0.8.17.1
v0.8.17.2
v0.8.17.3
v0.8.17.4
v0.8.17.5
v0.8.17.6
v0.8.17.7
v0.8.18
v0.8.18.0
v0.8.18.1
v0.8.19
v0.8.19.0
v0.8.19.1
v0.8.2
v0.8.20
v0.8.20.0
v0.8.21
v0.8.21.0
v0.8.22
v0.8.22.0
v0.8.22.1
v0.8.23
v0.8.23.0
v0.8.23.1
v0.8.23.2
v0.8.24
v0.8.24.0
v0.8.24.1
v0.8.24.2
v0.8.24.3
v0.8.25
v0.8.25.0
v0.8.25.1
v0.8.25.2
v0.8.26
v0.8.26.0
v0.8.26.1
v0.8.26.2
v0.8.26.5
v0.8.27
v0.8.27.1
v0.8.27.1rc1
v0.8.27.2
v0.8.27.2rc1
v0.8.27.2rc2
v0.8.27.2rc3
v0.8.28
v0.8.28.0
v0.8.28.0rc1
v0.8.28.1
v0.8.28rc1
v0.8.29
v0.8.3
v0.8.30
v0.8.31
v0.8.31.1
v0.8.31.1rc1
v0.8.31.2
v0.8.31.3
v0.8.31.3rc1
v0.8.31.4
v0.8.31.4rc1
v0.8.31.5
v0.8.31.5rc1
v0.8.31.6
v0.8.31.6rc1
v0.8.31.6rc2
v0.8.32
v0.8.32.1
v0.8.32.2
v0.8.32.2rc1
v0.8.32.3
v0.8.32.3rc1
v0.8.32.4
v0.8.32.4rc1
v0.8.32.4rc2
v0.8.32.5
v0.8.32.5rc1
v0.8.32.6
v0.8.32.6rc1
v0.8.32.6rc2
v0.8.32.6rc3
v0.8.32rc1
v0.8.32rc2
v0.8.32rc3
v0.8.32rc4
v0.8.33
v0.8.33.1
v0.8.33.2
v0.8.33.2rc1
v0.8.33.2rc2
v0.8.33.3
v0.8.33.3rc1
v0.8.33.3rc2
v0.8.33.3rc3
v0.8.33rc1
v0.8.34
v0.8.34.1
v0.8.34.1rc1
v0.8.34.1rc2
v0.8.34.1rc3
v0.8.34.2
v0.8.34.2rc1
v0.8.34.2rc2
v0.8.34.2rc3
v0.8.34.2rc4
v0.8.34.3rc1
v0.8.35
v0.8.35.0rc1
v0.8.35.1
v0.8.35.1rc1
v0.8.35.2
v0.8.35.2rc1
v0.8.35.3
v0.8.35.3rc1
v0.8.35.4
v0.8.35.4rc1
v0.8.35.5
v0.8.35.5rc1
v0.8.35.6
v0.8.35.6rc1
v0.8.35.6rc2
v0.8.35.7
v0.8.35.7rc1
v0.8.35.8rc1
v0.8.35.8rc2
v0.8.35.8rc3
v0.8.36
v0.8.36.0rc0
v0.8.36.1rc1
v0.8.36.1rc10
v0.8.36.1rc2
v0.8.36.1rc3
v0.8.36.1rc4
v0.8.36.1rc5
v0.8.36.1rc6
v0.8.36.1rc7
v0.8.36.1rc8
v0.8.36.1rc9
v0.8.36rc1
v0.8.37
v0.8.37.0rc0
v0.8.37rc0
v0.8.38
v0.8.38.1
v0.8.38.1rc0
v0.8.38.1rc1
v0.8.38.2
v0.8.38.2rc1
v0.8.38.3
v0.8.38.3rc1
v0.8.38.4
v0.8.38.4rc0
v0.8.38.4rc1
v0.8.38.4rc2
v0.8.38.4rc3
v0.8.38.5
v0.8.38.5rc0
v0.8.39
v0.8.39.1rc1
v0.8.39.1rc2
v0.8.39.1rc3
v0.8.39.1rc4
v0.8.39.1rc5
v0.8.39.1rc6
v0.8.39.1rc7
v0.8.39.1rc8
v0.8.39rc0
v0.8.4
v0.8.40
v0.8.40.1
v0.8.40.2
v0.8.40.2rc0
v0.8.40.3
v0.8.40.3rc0
v0.8.40.3rc1
v0.8.40.3rc2
v0.8.40.3rc3
v0.8.40.4rc1
v0.8.40.4rc2
v0.8.40rc1
v0.8.41
v0.8.41.1
v0.8.41.1rc0
v0.8.41.1rc1
v0.8.41.1rc2
v0.8.41.1rc3
v0.8.41.1rc4
v0.8.41.2
v0.8.41.2rc0
v0.8.41.2rc1
v0.8.41.3rc1
v0.8.41.3rc2
v0.8.41.3rc3
v0.8.41rc1
v0.8.41rc2
v0.8.42
v0.8.42rc1
v0.8.42rc2
v0.8.43
v0.8.43.1
v0.8.43.1rc0
v0.8.43.1rc1
v0.8.43.2
v0.8.43.2rc0
v0.8.43.2rc1
v0.8.43.3
v0.8.43.3rc0
v0.8.43.3rc1
v0.8.43.3rc2
v0.8.43.3rc3
v0.8.43.3rc4
v0.8.43.3rc5
v0.8.43.4
v0.8.43.4rc1
v0.8.43.4rc2
v0.8.43.5
v0.8.43.5rc1
v0.8.43.5rc2
v0.8.43.5rc3
v0.8.43.6
v0.8.43.6rc0
v0.8.43.6rc1
v0.8.43rc2
v0.8.43rc3
v0.8.43rc4
v0.8.44
v0.8.44.1
v0.8.44.1rc0
v0.8.44.1rc1
v0.8.44.1rc2
v0.8.44.1rc3
v0.8.44.1rc4
v0.8.44.2
v0.8.44.2rc0
v0.8.44.2rc1
v0.8.44.2rc2
v0.8.44.3
v0.8.44.3rc0
v0.8.44.3rc1
v0.8.44.3rc2
v0.8.44.3rc3
v0.8.44.3rc4
v0.8.44.4
v0.8.44.4rc0
v0.8.44.4rc1
v0.8.44.5
v0.8.44.5rc0
v0.8.44.5rc1
v0.8.44.5rc2
v0.8.44.5rc3
v0.8.44rc0
v0.8.44rc1
v0.8.44rc2
v0.8.44rc3
v0.8.44rc4
v0.8.44rc5
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39366.json"