Security Advisory

DataHub GMS Privilege Escalation through User Signup

Adversaries can elevate their privileges to a system user by abusing an insufficient validation within the user signup flow.

Advisory ID: MLSA-2024-002
CVE: none
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: high
Affected versions: < v0.12.1rc2
Fixed versions: ≥ v0.12.1rc2
Discovered by: Timo Müller

Product description

DataHub is an extensible metadata platform that enables data discovery, data observability and federated governance to help tame the complexity of your data ecosystem.

Details

Missing input validation in the user signup form allows adversaries to register an account with the email __datahub_system, allowing privilege escalation.

The issue exists due to the fact that Datahub uses the email of a user to build an URN to then determine their permission. By using the email __datahub_system, an adversary gains the URN of an internal system user.

Please note that exploitation of this issue requires the ability to sign up a new user. Signup is usually available to an attacker through an instance-specific invite token.

Workarounds

None

Indicators of Compromise

  • A __datahub_system user exists within the DataHub user list accessible to DataHub administrators.

Coordinated Disclosure Timeline

  • 27/04/2023 MOGWAI LABS submits this vulnerability through the “Security” tab within the DataHub GitHub repository
  • 01/05/2023 The vulnerability report is accepted by a DataHub security advisory publisher
  • 12/04/2024 MOGWAI LABS requests for disclosure of this vulnerability
  • 12/04/2024 Start of disclosure policy timeline
  • 08/04/2024 MOGWAI LABS reminds the DataHub team about the upcoming disclosure policy deadline
  • 15/04/2024 MOGWAI LABS requests a CVE from NIST
  • 19/04/2024 MOGWAI LABS releases this advisory