CVE-2023-47628 (GCVE-0-2023-47628)

Vulnerability from cvelistv5 – Published: 2023-11-14 00:33 – Updated: 2024-09-03 14:35
VLAI?
Summary
DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.
Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
Vendor Product Version
datahub-project datahub Affected: < 0.12.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:16:42.282Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-47628",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T14:35:18.972029Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T14:35:43.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "datahub",
          "vendor": "datahub-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DataHub is an open-source metadata platform. DataHub Frontend\u0027s sessions are configured using Play Framework\u0027s default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-14T00:33:12.602Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx"
        }
      ],
      "source": {
        "advisory": "GHSA-75p8-rgh2-r9mx",
        "discovery": "UNKNOWN"
      },
      "title": "Session Expiration Misconfiguration in datahub"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-47628",
    "datePublished": "2023-11-14T00:33:12.602Z",
    "dateReserved": "2023-11-07T16:57:49.244Z",
    "dateUpdated": "2024-09-03T14:35:43.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:datahub_project:datahub:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.12.1\", \"matchCriteriaId\": \"A45A340B-5E00-4E48-A37F-71C11DDAAFF1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"DataHub is an open-source metadata platform. DataHub Frontend\u0027s sessions are configured using Play Framework\u0027s default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"DataHub es una plataforma de metadatos de c\\u00f3digo abierto. Las sesiones de DataHub Frontend se configuran utilizando la configuraci\\u00f3n predeterminada de Play Framework para sesiones sin estado que no establecen un tiempo de vencimiento para una cookie. Debido a esto, si alguna vez se filtrara una cookie de sesi\\u00f3n, ser\\u00eda v\\u00e1lida para siempre. DataHub utiliza una cookie de sesi\\u00f3n sin estado que no se invalida al cerrar sesi\\u00f3n, simplemente se elimina del navegador y obliga al usuario a iniciar sesi\\u00f3n nuevamente. Sin embargo, si un atacante extrae una cookie de un usuario autenticado, seguir\\u00e1 siendo v\\u00e1lida ya que no hay validaci\\u00f3n en una ventana de tiempo para la cual el token de sesi\\u00f3n es v\\u00e1lido debido a una combinaci\\u00f3n del uso de LegacyCookiesModule de Play Framework y el uso de configuraciones predeterminadas que no establezca un tiempo de vencimiento. Todas las instancias de DataHub anteriores al parche que eliminaron al usuario de DataHub, pero no las pol\\u00edticas predeterminadas que se aplican a ese usuario, se ven afectadas. Se recomienda a los usuarios que actualicen a la versi\\u00f3n 0.12.1, que soluciona el problema. No se conocen workarounds para esta vulnerabilidad.\"}]",
      "id": "CVE-2023-47628",
      "lastModified": "2024-11-21T08:30:33.733",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"baseScore\": 4.2, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 2.5}]}",
      "published": "2023-11-14T01:15:08.137",
      "references": "[{\"url\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-613\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-47628\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-11-14T01:15:08.137\",\"lastModified\":\"2024-11-21T08:30:33.733\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DataHub is an open-source metadata platform. DataHub Frontend\u0027s sessions are configured using Play Framework\u0027s default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"DataHub es una plataforma de metadatos de c\u00f3digo abierto. Las sesiones de DataHub Frontend se configuran utilizando la configuraci\u00f3n predeterminada de Play Framework para sesiones sin estado que no establecen un tiempo de vencimiento para una cookie. Debido a esto, si alguna vez se filtrara una cookie de sesi\u00f3n, ser\u00eda v\u00e1lida para siempre. DataHub utiliza una cookie de sesi\u00f3n sin estado que no se invalida al cerrar sesi\u00f3n, simplemente se elimina del navegador y obliga al usuario a iniciar sesi\u00f3n nuevamente. Sin embargo, si un atacante extrae una cookie de un usuario autenticado, seguir\u00e1 siendo v\u00e1lida ya que no hay validaci\u00f3n en una ventana de tiempo para la cual el token de sesi\u00f3n es v\u00e1lido debido a una combinaci\u00f3n del uso de LegacyCookiesModule de Play Framework y el uso de configuraciones predeterminadas que no establezca un tiempo de vencimiento. Todas las instancias de DataHub anteriores al parche que eliminaron al usuario de DataHub, pero no las pol\u00edticas predeterminadas que se aplican a ese usuario, se ven afectadas. Se recomienda a los usuarios que actualicen a la versi\u00f3n 0.12.1, que soluciona el problema. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:datahub_project:datahub:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.12.1\",\"matchCriteriaId\":\"A45A340B-5E00-4E48-A37F-71C11DDAAFF1\"}]}]}],\"references\":[{\"url\":\"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"name\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:16:42.282Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-47628\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-03T14:35:18.972029Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T14:35:39.575Z\"}}], \"cna\": {\"title\": \"Session Expiration Misconfiguration in datahub\", \"source\": {\"advisory\": \"GHSA-75p8-rgh2-r9mx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"datahub-project\", \"product\": \"datahub\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.12.1\"}]}], \"references\": [{\"url\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"name\": \"https://github.com/datahub-project/datahub/security/advisories/GHSA-75p8-rgh2-r9mx\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DataHub is an open-source metadata platform. DataHub Frontend\u0027s sessions are configured using Play Framework\u0027s default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613: Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-11-14T00:33:12.602Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-47628\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-03T14:35:43.816Z\", \"dateReserved\": \"2023-11-07T16:57:49.244Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-11-14T00:33:12.602Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.