CVE-2024-22409

Published: Jan 16, 2024

Modified: Jun 17, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

DataHub is an open-source metadata platform. In affected versions a low privileged user could remove a user, edit group members, or edit another user's profile information. The default privileges gave too many broad permissions to low privileged users. These have been constrained in PR #9067 to prevent abuse. This issue can result in privilege escalation for lower privileged users up to admin privileges, potentially, if a group with admin privileges exists. May not impact instances that have modified default privileges. This issue has been addressed in datahub version 0.12.1. Users are advised to upgrade.

Vendor	Product	Versions
datahub-project	datahub	affected `< 0.12.1`

Weaknesses (CWE)

CWE-276

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/datahub-project/datahub/security/advisories/GHSA-x3v6-r479-m4xv

x_refsource_CONFIRM

https://github.com/datahub-project/datahub/pull/9067

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-22409

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References