SCA: security update for acryl-datahub (GHSA-r8gm-v65f-c973)

critical Tenable Self-Hosted Container Security Plugin ID 418598

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the
DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to
connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability
occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of
`io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature.
This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an
authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.
(CVE-2022-39366)

See Also

https://github.com/advisories/GHSA-r8gm-v65f-c973

Plugin Details

Severity: Critical

ID: 418598

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-39366

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/31/2022

Vulnerability Publication Date: 10/28/2022

Reference Information

CVE: CVE-2022-39366

cwe: CWE-347