PRP: Datahub CVE-2023-25557

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.

Apache License 2.0

872 stars 176 forks source link

PRP: Datahub CVE-2023-25557 #287

Open timoles opened 1 year ago

timoles commented 1 year ago

Hi, I'd like to write a detector for the recent critical Datahub vulnerability CVE-2023-25557.

A detailed writeup of the exploit can be found https://github.blog/2023-03-03-github-security-lab-audited-datahub-heres-what-they-found/#ssrf-xss-ghsl-2022-076

Rating: 9.1 Critical CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

maoning commented 1 year ago

Hi @timoles, based on the linked analysis, this vuln doesn't directly result in a RCE. As a result, this request is not considered in scope for the reward program at this time.

You could consider contributing a set of Tsunami web fingerprints for datahub which is in scope for PRP program.

timoles commented 1 year ago

Hi @maoning , sorry but it seems I made a copy paste error and got something confused when submitting the issue.

I meant to write a plugin for CVE-2022-39366 which is rated with CVSS3.1: 9.8. The vulnerability allows unauthenticated access to the datahub application through a missing JWT signature check. (Github Rating)

The vulnerability impact is described as:

The lack of signature verification means that JWTs are accepted regardless of the used algorithm. Therefore, it allows an attacker to connect to DataHub instances as any arbitrary user, including the system one, when the Metadata Service authentication is enabled.

Would this vulnerability be within the scope for the PRP program?

If the previously mentioned vulnerability is not in scope, then I would, as per your suggestions, like to do the web fingerprint for Datahub.

Thanks, and sorry for the confusion timoles

maoning commented 1 year ago

Hi Timoles,

I don't know how widely adopted Datahub is in the industry. I would like you to start on the fingerprint part, which would help with measuring the Datahub usage. Could you create a new issue for datahub fingerprint for tracking purpose?

Meanwhile I will keep this bug open, and do more research into the impact radius of this datahub vulnerability you reported. I will update this bug if there are strong signals indicating otherwise.

tooryx commented 2 months ago

Hi @timoles,

Just a heads-up that I am going to batch-close a few of your issues. These issue affects rather old CVE that we are not interested about. Sorry that it took so long to take a decision.

We should soon reach out to select the main issue you can work on.

~tooryx

tooryx commented 2 months ago

Hi @timoles,

You can work on this issue. Sorry again for the delay.

~tooryx