CVE-2024-29037

Summary

CVE-2024-29037 is a vulnerability in the datahub-helm software, specifically in versions 0.1.143 and prior to 0.2.182. Due to configuration issues in the helm chart, personal access tokens were potentially created with a default secret key during a limited window of time after a successful initial deployment. The secret key used for generating these tokens is publicly available, making it possible for an attacker to inspect the algorithm and generate their own access tokens. Enabling Metadata Service Authentication during the affected releases would have made it difficult to exploit this vulnerability. However, manually setting Metadata Service Authentication as enabled using environment variables could bypass the autogeneration logic and expose the static signing key specified in the application.yml file. The potential danger of this vulnerability is rated as critical, with high impact on integrity and confidentiality of data. Remediation involves updating to version 0.2.182 or later and ensuring proper configuration settings are in place to prevent unauthorized token generation and access token abuse.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.