Unity Catalog Authentication Bypass Vulnerability in Token Exchange Endpoint Allowing User Impersonation
Vulnerability
A critical authentication bypass vulnerability has been identified in Unity Catalog versions through 0.4.0. The issue resides in the token exchange endpoint, which improperly validates the issuer claim in incoming JSON Web Tokens (JWTs). This flaw allows an attacker to host a malicious OpenID Connect (OIDC) server, craft a JWT with a trusted issuer claim, and exchange it for a valid internal access token, leading to complete impersonation of any user in the system.
Impact
Exploitation of this vulnerability allows for complete user impersonation, granting access to all resources that the impersonated user has permissions for.
Reproduction
To reproduce this vulnerability, host a malicious OIDC server that serves a valid JWKS endpoint. Generate a JWT signed with a private key, including a custom issuer claim that points to the malicious server and a subject claim that identifies a known user in the Unity Catalog system. Exchange this crafted token at the vulnerable token exchange endpoint. The response will include a valid access token that can be used to access Unity Catalog resources as the impersonated user.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.