Impact
DataHub service componentes rely on libraries which contain upstream vulnerabilities which are not applicable to the way that DataHub UI uses those libraries.
DataHub uses Jetty
- CVE-2024-38816 - spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and
spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
the web application uses RouterFunctions to serve static resources
resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
DataHub does not require or run Zookeeper as a service.
- CVE-2023-44981 - Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper
- CVE-2024-23944 - Information disclosure in persistent watchers handling in Apache ZooKeeper
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
DataHub does not parse XML internally or externally using the vulnerable library.
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries such that an XML external entity (XXE) vulnerability affects codehaus's jackson-mapper-asl libraries. This vulnerability is similar to CVE-2016-3720. The primary threat from this flaw is data integrity.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
Impact
DataHub service componentes rely on libraries which contain upstream vulnerabilities which are not applicable to the way that DataHub UI uses those libraries.
DataHub uses Jetty
DataHub does not require or run Zookeeper as a service.
DataHub does not parse XML internally or externally using the vulnerable library.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?