{"url":"http://public2.vulnerablecode.io/api/packages/595407?format=json","purl":"pkg:pypi/acryl-datahub@0.8.16.8","type":"pypi","namespace":"","name":"acryl-datahub","version":"0.8.16.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.8.45","latest_non_vulnerable_version":"0.8.45","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/168326?format=json","vulnerability_id":"VCID-sjmp-ct3f-mfhc","summary":"DataHub is an open-source metadata platform. Prior to version 0.8.45, the `StatelessTokenService` of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authentication is enabled. This vulnerability occurs because the `StatelessTokenService` of the Metadata service uses the `parse` method of `io.jsonwebtoken.JwtParser`, which does not perform a verification of the cryptographic token signature. This means that JWTs are accepted regardless of the used algorithm. This issue may lead to an authentication bypass. Version 0.8.45 contains a patch for the issue. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39366","reference_id":"","reference_type":"","scores":[{"value":"0.00958","scoring_system":"epss","scoring_elements":"0.76963","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00958","scoring_system":"epss","scoring_elements":"0.76893","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39366"},{"reference_url":"https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check"},{"reference_url":"https://github.com/datahub-project/datahub","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/datahub-project/datahub"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39366","reference_id":"CVE-2022-39366","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39366"},{"reference_url":"https://github.com/advisories/GHSA-r8gm-v65f-c973","reference_id":"GHSA-r8gm-v65f-c973","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r8gm-v65f-c973"},{"reference_url":"https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973","reference_id":"GHSA-r8gm-v65f-c973","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:26Z/"}],"url":"https://github.com/datahub-project/datahub/security/advisories/GHSA-r8gm-v65f-c973"},{"reference_url":"https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/","reference_id":"java-missing-jwt-signature-check","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:26Z/"}],"url":"https://codeql.github.com/codeql-query-help/java/java-missing-jwt-signature-check/"},{"reference_url":"https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134","reference_id":"StatelessTokenService.java#L134","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:26Z/"}],"url":"https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L134"},{"reference_url":"https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30","reference_id":"StatelessTokenService.java#L30","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:26Z/"}],"url":"https://github.com/datahub-project/datahub/blob/aa146db611e3a4ca3aa17bb740783f789d4444d3/metadata-service/auth-impl/src/main/java/com/datahub/authentication/token/StatelessTokenService.java#L30"},{"reference_url":"https://github.com/datahub-project/datahub/releases/tag/v0.8.45","reference_id":"v0.8.45","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:39:26Z/"}],"url":"https://github.com/datahub-project/datahub/releases/tag/v0.8.45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27681?format=json","purl":"pkg:pypi/acryl-datahub@0.8.45","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/acryl-datahub@0.8.45"}],"aliases":["CVE-2022-39366","GHSA-r8gm-v65f-c973"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sjmp-ct3f-mfhc"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/acryl-datahub@0.8.16.8"}