CVE-2023-25562

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25562

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25562.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25562

Aliases

GHSA-3974-hxjh-m3jj

Published

2023-02-10T22:03:00Z

Modified

2025-11-04T20:11:56.551144Z

Severity

6.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Failure to Invalidate Session on Logout in DataHub

Details

DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the AuthUtils.hasValidSessionCookie() method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for this issue. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-083.

Database specific

{
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

Git / github.com/datahub-project/datahub

Affected ranges

Type: GIT
Repo: https://github.com/datahub-project/datahub
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

af6a423f9d39c1efe308c9722c338fa82e36a55f

Affected versions

RC-v0.*

RC-v0.8.28

v0.*

v0.1.0-alpha

v0.1.1-alpha

v0.2.0-alpha

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.0-BETA

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v0.8.0-pre

v0.8.1

v0.8.10

v0.8.11

v0.8.12

v0.8.13

v0.8.14

v0.8.15

v0.8.16

v0.8.17

v0.8.18

v0.8.19

v0.8.2

v0.8.20

v0.8.21

v0.8.22

v0.8.23

v0.8.24

v0.8.25

v0.8.26

v0.8.27

v0.8.28

v0.8.28rc1

v0.8.29

v0.8.3

v0.8.30

v0.8.31

v0.8.32

v0.8.33

v0.8.34

v0.8.35

v0.8.36

v0.8.37

v0.8.38

v0.8.39

v0.8.4

v0.8.40

v0.8.41

v0.8.42

v0.8.43

v0.8.44

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

Database specific

vanir_signatures

[
    {
        "id": "CVE-2023-25562-16f79a12",
        "target": {
            "file": "metadata-service/servlet/src/main/java/com/datahub/gms/servlet/Config.java"
        },
        "source": "https://github.com/datahub-project/datahub/commit/af6a423f9d39c1efe308c9722c338fa82e36a55f",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "31554251648533416152623010086936924547",
                "155760737878228610195097988911985706046",
                "284220006101245241007895365429582833180",
                "221398545169308186189998836629710439288"
            ]
        },
        "deprecated": false,
        "signature_version": "v1"
    }
]