CVE-2022-39366 in DataHub
Summary
by MITRE • 10/28/2022
DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/03/2025
The vulnerability identified as CVE-2022-39366 affects DataHub, an open-source metadata platform designed to manage and govern enterprise data assets. This security flaw resides within the Metadata Service (GMS) component of DataHub, specifically within the StatelessTokenService implementation. The issue represents a critical authentication bypass vulnerability that fundamentally undermines the platform's security model when metadata service authentication is enabled. The vulnerability exists in versions prior to 0.8.45, making all earlier releases susceptible to exploitation by malicious actors who can manipulate authentication tokens to gain unauthorized access to the metadata platform.
The technical root cause of this vulnerability lies in the improper handling of JSON Web Token (JWT) validation within the StatelessTokenService class. The service utilizes the parse method from the io.jsonwebtoken.JwtParser library without implementing proper signature verification mechanisms. This design flaw allows the system to accept JWT tokens regardless of the cryptographic algorithm used for signing, effectively disabling any token-based authentication security measures. The JwtParser library's parse method is designed to decode tokens without automatically verifying their signatures, creating a dangerous gap in the authentication process where tokens can be forged or modified without detection. This behavior directly violates fundamental security principles for token-based authentication systems and creates a pathway for unauthorized access to sensitive metadata resources.
The operational impact of this vulnerability is severe and far-reaching within enterprise data environments. An attacker who can exploit this vulnerability gains the ability to impersonate any user within the DataHub platform, potentially accessing restricted metadata, modifying data governance policies, or extracting sensitive information about the organization's data landscape. The authentication bypass enables unauthorized access to metadata repositories that may contain critical business intelligence, personal data, or proprietary information. This vulnerability particularly affects organizations that rely on DataHub for enterprise data governance and metadata management, as it undermines the trust model that should protect access to their data assets. The severity is amplified by the fact that this vulnerability can be exploited remotely without requiring prior authentication credentials, making it particularly dangerous in multi-tenant or publicly accessible environments.
This vulnerability maps directly to CWE-347, which addresses the issue of improper verification of cryptographic signatures, and aligns with ATT&CK technique T1078.004 for valid accounts, as attackers can leverage this flaw to assume legitimate user identities. The attack vector represents a privilege escalation scenario where an attacker moves from unauthenticated to authenticated access within the platform. Organizations should immediately upgrade to DataHub version 0.8.45 or later to remediate this vulnerability, as no effective workarounds exist for this particular issue. The patch implemented in version 0.8.45 addresses the core problem by ensuring proper signature verification of JWT tokens through appropriate cryptographic validation mechanisms. Security teams should conduct immediate assessments of their DataHub deployments to identify affected versions and implement the necessary upgrades to protect their metadata infrastructure from this authentication bypass vulnerability.