Datavane Datavines JWT Authentication Bypass Vulnerability

A critical JWT authentication bypass vulnerability exists in Datavane Datavines versions prior to the latest commit 13607645e14a4982468cfdbcf75c85cde63bae71. The issue arises from a hardcoded JWT secret in the TokenManager class, which is not configurable through the application's YAML file. This flaw allows all default deployments to use the same secret, 'asdqwe'. Additionally, the AuthenticationInterceptor class contains a self-comparison logic flaw, where the token's password is validated against itself rather than the actual user record, enabling an attacker to forge a valid JWT token and bypass authentication entirely.

Impact

Exploitation of this vulnerability allows for complete bypass of JWT authentication, granting access to all protected API endpoints. This includes sensitive actions such as listing workspaces and their associated data source configurations, executing operations as the impersonated user, and accessing administrative functionalities.

Reproduction

To reproduce this vulnerability, first generate a JWT token using the hardcoded secret 'asdqwe'. The token can be crafted to include a valid username, such as 'admin', and a fake password. Once the token is created, it can be used to access protected API endpoints, such as the workspace list endpoint, effectively bypassing authentication.

Remediation

Users are advised to update to the latest version of Datavane Datavines, where this vulnerability has been patched.