Platform
java
Component
org.open-metadata:openmetadata-service
Fixed in
1.3.2
1.3.1
CVE-2024-28253 describes a critical SpEL (Spring Expression Language) injection vulnerability discovered in the OpenMetadata Service. This flaw allows authenticated users to inject malicious expressions, potentially leading to remote code execution. The vulnerability impacts versions of OpenMetadata Service up to and including DEMO_BETA1. A fix is available in version 1.3.1.
The SpEL injection vulnerability in OpenMetadata Service poses a significant risk to organizations deploying this platform. An attacker with authenticated access to the /api/v1/policies endpoint can craft malicious payloads that are interpreted as code by the Spring Expression Language engine. This can lead to arbitrary code execution on the server, granting the attacker complete control over the OpenMetadata Service instance. The impact extends beyond data compromise; an attacker could potentially pivot to other systems within the network if the OpenMetadata Service has access to sensitive resources or network segments. This vulnerability shares similarities with other SpEL injection attacks, highlighting the importance of input validation and secure coding practices.
CVE-2024-28253 was publicly disclosed on April 23, 2024. The vulnerability's criticality (CVSS score of 9.4) and the potential for remote code execution suggest a high probability of exploitation. While no public proof-of-concept (PoC) has been widely reported, the ease of exploitation inherent in SpEL injection vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
92.00% (100% percentile)
CVSS Vector
The primary mitigation for CVE-2024-28253 is to upgrade to OpenMetadata Service version 1.3.1 or later, which includes a fix for the vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. Restrict access to the /api/v1/policies endpoint to only trusted users and roles. Implement strict input validation on all data submitted to this endpoint, specifically looking for potentially malicious SpEL expressions. While a WAF might offer some protection, it's not a substitute for patching. Monitor system logs for suspicious activity related to the /api/v1/policies endpoint, looking for unusual requests or errors.
Update OpenMetadata to version 1.3.1 or higher. This version fixes the SpEL injection vulnerability in the `PUT /api/v1/policies` API. The update will prevent potential remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-28253 is a critical vulnerability allowing authenticated users to execute arbitrary code in OpenMetadata Service versions ≤DEMO_BETA1 through a SpEL injection in the /api/v1/policies endpoint.
You are affected if you are running OpenMetadata Service versions prior to 1.3.1. Verify your version and upgrade immediately.
Upgrade to OpenMetadata Service version 1.3.1 or later to remediate the vulnerability. Restrict access to the /api/v1/policies endpoint as a temporary workaround.
While no widespread exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of future attacks. Monitor for activity.
Refer to the OpenMetadata security advisories page for the latest information and updates: [https://open-metadata.org/security/](https://open-metadata.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.