Impact
The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint.
Successful exploitation requires a valid user account in the configured OIDC identity provider — no DataHub application-level roles or privileges are needed. OIDC/SSO must be enabled, which is a standard production configuration. At minimum, an authenticated attacker can achieve blind SSRF, allowing them to send requests to internal hosts and perform internal port scanning. RCE may be possible depending on available gadget chains, though none were confirmed at time of disclosure.
Patches
The fix will be available in the next available release after 1.5.0.2
References
CWE-502: Deserialization of Untrusted Data
Credit
Brett Gervasoni
brettgervasoni Analyst
Impact
The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC callback flow, with no integrity protection (no HMAC, no encryption). This is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the GET /callback/oidc endpoint.
Successful exploitation requires a valid user account in the configured OIDC identity provider — no DataHub application-level roles or privileges are needed. OIDC/SSO must be enabled, which is a standard production configuration. At minimum, an authenticated attacker can achieve blind SSRF, allowing them to send requests to internal hosts and perform internal port scanning. RCE may be possible depending on available gadget chains, though none were confirmed at time of disclosure.
Patches
The fix will be available in the next available release after 1.5.0.2
References
CWE-502: Deserialization of Untrusted Data
Credit
Brett Gervasoni