Login Sign Up

CVE-2024-29037

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability in datahub-helm Kubernetes charts allows attackers to forge personal access tokens using a default static signing key. It affects DataHub deployments with Metadata Service Authentication enabled between versions 0.1.143 and 0.2.182. Most deployments likely avoided this configuration, limiting real-world impact.

💻 Affected Systems

Products:
  • datahub-helm
Versions: >=0.1.143, <0.2.182
Operating Systems: Any Kubernetes platform
Default Config Vulnerable: ✅ No
Notes: Only affects deployments with Metadata Service Authentication enabled, which was difficult to configure during the vulnerable period.

📦 What is this software?

Datahub Helm by Datahub

View all CVEs affecting Datahub Helm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could forge valid personal access tokens, gaining unauthorized access to DataHub instances and potentially compromising sensitive metadata and data.

🟠

Likely Case

Limited impact since most deployments didn't enable Metadata Service Authentication during the vulnerable window, but affected instances could experience token forgery attacks.

🟢

If Mitigated

With proper random signing keys and authentication controls, the vulnerability is eliminated and token security is maintained.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires knowledge of the static signing key and token generation algorithm, but both are publicly available in the code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.182

Vendor Advisory: https://github.com/acryldata/datahub-helm/security/advisories/GHSA-82p6-9h7m-9h8j

Restart Required: Yes

Instructions:

1. Upgrade datahub-helm to version 0.2.182 or later. 2. Redeploy DataHub with the updated charts. 3. Ensure Metadata Service Authentication is properly configured with random signing keys.

🔧 Temporary Workarounds

Reset Token Signing Key

linux

Manually reset the token signing key to a random value, which will invalidate existing personal access tokens.

kubectl create secret generic datahub-gms-secrets --from-literal=token_signing_key=$(openssl rand -hex 32) --dry-run=client -o yaml | kubectl apply -f -
kubectl rollout restart deployment/datahub-gms

🧯 If You Can't Patch

  • Disable Metadata Service Authentication if not required
  • Implement network segmentation and strict access controls to limit exposure

🔍 How to Verify

Check if Vulnerable:

Check if using datahub-helm version between 0.1.143 and 0.2.182 with Metadata Service Authentication enabled.

Check Version:

helm list -n datahub | grep datahub

Verify Fix Applied:

Confirm deployment uses datahub-helm version 0.2.182+ and token signing key is randomly generated, not using default value.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected personal access token generation
  • Authentication attempts with forged tokens
  • Failed authentication with invalid tokens

Network Indicators:

  • Unusual API calls to token endpoints
  • Suspicious authentication patterns

SIEM Query:

source="datahub" AND ("personal access token" OR "authentication failure")

📊 Metadata

CVE ID: CVE-2024-29037
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-1394
Published: March 20, 2024
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29037, you might also want to check these:

CVE-2024-48956 9.8

CVE-2024-48956 is an unauthenticated remote code execution vulnerability in Serviceware Processes. A...

Same vulnerability type (CWE-1394)
CVE-2025-41742 9.8

Sprecher Automations SPRECON-E devices use default cryptographic keys that allow unauthorized remote...

Same vulnerability type (CWE-1394)
CVE-2025-41744 9.1

Sprecher Automations SPRECON-E series uses default cryptographic keys that allow unprivileged remote...

Same vulnerability type (CWE-1394)