CVE-2023-25560
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-25560
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25560.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-25560
- Aliases
-
- GHSA-6rpf-5cfg-h8f3
- Published
- 2023-02-10T22:03:03.926Z
- Modified
- 2026-01-09T19:12:42.970798Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- JSON Injection in DataHub
- Details
-
DataHub is an open-source metadata platform. The AuthServiceClient which is responsible for creation of new accounts, verifying credentials, resetting them or requesting access tokens, crafts multiple JSON strings using format strings with user-controlled data. This means that an attacker may be able to augment these JSON strings to be sent to the backend and that can potentially be abused by including new or colliding values. This issue may lead to an authentication bypass and the creation of system accounts, which effectively can lead to full system compromise. Users are advised to upgrade. There are no known workarounds for this vulnerability. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-080.
- Database specific
{ "cwe_ids": [ "CWE-913" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25560.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/acryldata/datahub
Affected ranges
- Type
- GIT
- Repo
- https://github.com/acryldata/datahub
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.8.38.4rc1
v0.*
v0.8.16.10
v0.8.16.11
v0.8.16.12
v0.8.16.9
v0.8.17.0
v0.8.17.1
v0.8.17.2
v0.8.17.3
v0.8.17.4
v0.8.17.5
v0.8.17.6
v0.8.17.7
v0.8.18
v0.8.18.0
v0.8.18.1
v0.8.19.0
v0.8.19.1
v0.8.20.0
v0.8.21.0
v0.8.22.0
v0.8.22.1
v0.8.23.0
v0.8.23.1
v0.8.23.2
v0.8.24.0
v0.8.24.1
v0.8.24.2
v0.8.24.3
v0.8.25
v0.8.25.0
v0.8.25.1
v0.8.25.2
v0.8.26.0
v0.8.26.1
v0.8.26.2
v0.8.26.3
v0.8.26.4
v0.8.26.5
v0.8.26.6
v0.8.26.7
v0.8.26.7rc1
v0.8.26.7rc2
v0.8.26.8
v0.8.26.8rc1
v0.8.27
v0.8.27.1
v0.8.27.1rc1
v0.8.27.2
v0.8.27.2rc1
v0.8.27.2rc2
v0.8.27.2rc3
v0.8.28
v0.8.28.0
v0.8.28.0rc1
v0.8.28.1
v0.8.29
v0.8.29.1
v0.8.29.2
v0.8.30
v0.8.30.0
v0.8.31
v0.8.31.1
v0.8.31.1rc1
v0.8.31.2
v0.8.31.3
v0.8.31.3rc1
v0.8.31.4
v0.8.31.4rc1
v0.8.31.5
v0.8.31.5rc1
v0.8.31.6
v0.8.31.6rc1
v0.8.31.6rc2
v0.8.32
v0.8.32.1
v0.8.32.2
v0.8.32.2rc1
v0.8.32.3
v0.8.32.3rc1
v0.8.32.4
v0.8.32.4rc1
v0.8.32.4rc2
v0.8.32.5
v0.8.32.5rc1
v0.8.32.6
v0.8.32.6rc1
v0.8.32.6rc2
v0.8.32.6rc3
v0.8.32.7
v0.8.32rc1
v0.8.32rc2
v0.8.32rc3
v0.8.32rc4
v0.8.33
v0.8.33.1
v0.8.33.2
v0.8.33.2rc1
v0.8.33.2rc2
v0.8.33.3
v0.8.33.3rc1
v0.8.33.3rc2
v0.8.33.3rc3
v0.8.33rc1
v0.8.34
v0.8.34.1
v0.8.34.1rc1
v0.8.34.1rc2
v0.8.34.1rc3
v0.8.34.2
v0.8.34.2rc1
v0.8.34.2rc2
v0.8.34.2rc3
v0.8.34.2rc4
v0.8.34.3rc1
v0.8.35
v0.8.35.0rc1
v0.8.35.0rc2
v0.8.35.1
v0.8.35.1rc1
v0.8.35.2
v0.8.35.2rc1
v0.8.35.3
v0.8.35.3rc1
v0.8.35.4
v0.8.35.4rc1
v0.8.35.5
v0.8.35.5rc1
v0.8.35.6
v0.8.35.6rc1
v0.8.35.6rc2
v0.8.35.7
v0.8.35.7rc1
v0.8.35.8rc1
v0.8.35.8rc2
v0.8.35.8rc3
v0.8.36
v0.8.36.0rc0
v0.8.36.1rc1
v0.8.36.1rc10
v0.8.36.1rc2
v0.8.36.1rc3
v0.8.36.1rc4
v0.8.36.1rc5
v0.8.36.1rc6
v0.8.36.1rc7
v0.8.36.1rc8
v0.8.36.1rc9
v0.8.36rc1
v0.8.37
v0.8.37.0rc0
v0.8.37rc0
v0.8.38
v0.8.38.1
v0.8.38.1rc0
v0.8.38.1rc1
v0.8.38.2
v0.8.38.2rc1
v0.8.38.3
v0.8.38.3rc1
v0.8.38.4
v0.8.38.4rc0
v0.8.38.4rc1
v0.8.38.4rc2
v0.8.38.4rc3
v0.8.38.5
v0.8.38.5rc0
v0.8.39
v0.8.39.1rc1
v0.8.39.1rc2
v0.8.39.1rc3
v0.8.39.1rc4
v0.8.39.1rc5
v0.8.39.1rc6
v0.8.39.1rc7
v0.8.39.1rc8
v0.8.39rc0
v0.8.40
v0.8.40.1
v0.8.40.2
v0.8.40.2rc0
v0.8.40.3
v0.8.40.3rc0
v0.8.40.3rc1
v0.8.40.3rc2
v0.8.40.3rc3
v0.8.40.4rc1
v0.8.40.4rc2
v0.8.40rc1
v0.8.41
v0.8.41.1
v0.8.41.1rc0
v0.8.41.1rc1
v0.8.41.1rc2
v0.8.41.1rc3
v0.8.41.1rc4
v0.8.41.2
v0.8.41.2rc0
v0.8.41.2rc1
v0.8.41.3rc1
v0.8.41.3rc2
v0.8.41.3rc3
v0.8.41rc1
v0.8.41rc2
v0.8.42
v0.8.42rc1
v0.8.42rc2
v0.8.43
v0.8.43.1
v0.8.43.1rc0
v0.8.43.1rc1
v0.8.43.2
v0.8.43.2rc0
v0.8.43.2rc1
v0.8.43.3
v0.8.43.3rc0
v0.8.43.3rc1
v0.8.43.3rc2
v0.8.43.3rc3
v0.8.43.3rc4
v0.8.43.3rc5
v0.8.43.4
v0.8.43.4rc1
v0.8.43.4rc2
v0.8.43.5
v0.8.43.5rc1
v0.8.43.5rc2
v0.8.43.5rc3
v0.8.43.6
v0.8.43.6rc0
v0.8.43.6rc1
v0.8.43rc1
v0.8.43rc2
v0.8.43rc3
v0.8.43rc4
v0.8.44
v0.8.44.1
v0.8.44.1rc0
v0.8.44.1rc1
v0.8.44.1rc2
v0.8.44.1rc3
v0.8.44.1rc4
v0.8.44.2
v0.8.44.2rc0
v0.8.44.2rc1
v0.8.44.2rc2
v0.8.44.3
v0.8.44.3rc0
v0.8.44.3rc1
v0.8.44.3rc2
v0.8.44.3rc3
v0.8.44.3rc4
v0.8.44.4
v0.8.44.4rc0
v0.8.44.4rc1
v0.8.44.5
v0.8.44.5rc0
v0.8.44.5rc1
v0.8.44.5rc2
v0.8.44.5rc3
v0.8.44rc0
v0.8.44rc1
v0.8.44rc2
v0.8.44rc3
v0.8.44rc4
v0.8.44rc5
Git / github.com/datahub-project/datahub
Affected ranges
- Type
- GIT
- Repo
- https://github.com/datahub-project/datahub
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
RC-v0.*
RC-v0.8.28
v0.*
v0.1.0-alpha
v0.1.1-alpha
v0.2.0-alpha
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.0-BETA
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.0-pre
v0.8.1
v0.8.10
v0.8.11
v0.8.12
v0.8.13
v0.8.14
v0.8.15
v0.8.16
v0.8.17
v0.8.18
v0.8.19
v0.8.2
v0.8.20
v0.8.21
v0.8.22
v0.8.23
v0.8.24
v0.8.25
v0.8.26
v0.8.27
v0.8.28
v0.8.28rc1
v0.8.29
v0.8.3
v0.8.30
v0.8.31
v0.8.32
v0.8.33
v0.8.34
v0.8.35
v0.8.36
v0.8.37
v0.8.38
v0.8.39
v0.8.4
v0.8.40
v0.8.41
v0.8.42
v0.8.43
v0.8.44
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25560.json"
vanir_signatures
[
{
"deprecated": false,
"id": "CVE-2023-25560-16f79a12",
"digest": {
"threshold": 0.9,
"line_hashes": [
"31554251648533416152623010086936924547",
"155760737878228610195097988911985706046",
"284220006101245241007895365429582833180",
"221398545169308186189998836629710439288"
]
},
"source": "https://github.com/datahub-project/datahub/commit/af6a423f9d39c1efe308c9722c338fa82e36a55f",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java"
}
}
]