CVE-2024-29037

CVSS 3.1 Score 9.1 of 10 (high)

Details

Published Mar 20, 2024
Updated: Mar 21, 2024
CWE ID 1394

Summary

CVE-2024-29037 is a vulnerability in the datahub-helm software, specifically in versions 0.1.143 and prior to 0.2.182. Due to configuration issues in the helm chart, personal access tokens were potentially created with a default secret key during a limited window of time after a successful initial deployment. The secret key used for generating these tokens is publicly available, making it possible for an attacker to inspect the algorithm and generate their own access tokens. Enabling Metadata Service Authentication during the affected releases would have made it difficult to exploit this vulnerability. However, manually setting Metadata Service Authentication as enabled using environment variables could bypass the autogeneration logic and expose the static signing key specified in the application.yml file. The potential danger of this vulnerability is rated as critical, with high impact on integrity and confidentiality of data. Remediation involves updating to version 0.2.182 or later and ensuring proper configuration settings are in place to prevent unauthorized token generation and access token abuse.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-29037 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options